Anybody know what this new “Rock Solid Security” system is?

How to Scare Security Professionals, CIOs, CEOs, Business Risk and Control Auditors.

Last week a strategic mission critical supplier sent me an email informing me that my confidential business and personnel data was going to be moved to CorpA. Corp A is an “offshore” third party technology supplier that will be sending me a new password to access my data.

I e-mailed back to ask them where exactly the data was going to be stored, how it was going to be secured and how it would comply with local laws and regulations for security and privacy rights.  

The supplier replied they did not know, but they outsourced that "security stuff" to a vendor - CorpA and they would get me an answer.  

Supplier sent me an email to say that Corp A will store data on servers in one or more foreign countries, managed by two other foreign-based suppliers (Corp B, Corp C). Corp A could add/change others later without notice. 

As for security, I should not worry; they use “Rock Solid Security”.

I never heard of the “Rock Solid” algorithm so I looked into this a bit further.

They did not address if "Rock Solid" complied with my local laws and regulations.

Still don't know where/how my data would be encrypted. It does describe that my password will be issued/managed by Corp A in a foreign country, while my supplier would provide them with my data.  

Corp A has a master password system that can recover my password and my data to anybody that can convince them to share it, including, my company, Corp A, Corp B, Corp C, Supplier - without business control permission or notice.

In order to first access my data, I have to agree to Corp A's legal T&Cs, including the laws of one or more foreign countries. Supplier, Corp A, Corp B and Corp C all have the ability to lock me out of my data. I would have to file a protest in a foreign country to get access restored.

Lastly, “Customer”, cannot interfere with “monitoring” of data, including a restriction that the customer cannot layer additional security precautions into the data.

I politely suggested they should hire an impartial security professional to have a closer look. I could provide a list of security experts if they asked.

Have not heard a word from them since. The supplier has now been terminated.

There are so many good security people and tools out there.

How does this happen again and again?