AT&T Tech Support 360
- Related Stories
-
FBI makes connections in data breach case
February 10, 2006 -
Why hackers are a step ahead of the law
May 14, 2002 -
Visa sets e-commerce security deadline
February 28, 2001
A hacker had snatched her home address and phone and credit card numbers--even the three-digit security code printed on the back of her credit card--and was offering them to anyone willing to pay the asking price: $5.
Perry, a copyright attorney from Mill Valley, Calif., was among 10 people whose personal data was posted last month on a Web site that specializes in the trafficking of stolen information. Even worse, no one bothered to tell her that her credit card information had been compromised.It's likely that no one was required to do so. Much to the chagrin of consumer advocates, the disclosure laws passed by 23 states during the past three years have had little impact when it comes to ensuring consumers are notified about data theft or loss.
Most existing laws allow merchants plenty of wiggle room when deciding whether to tell customers about such breaches, legal and security analysts said. The majority of state laws, for example, allow a company to stay mum about a robbery, if disclosing it would interfere with a police investigation.
That's a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of
"Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise," Clements said. "Most want to sweep the hack under the rug. Their motivation is clear; they don't want to lose their customers' trust."
Behind the break-ins
The issue of disclosure has taken on greater urgency in the wake of what analyst Avivah Litan of research firm Gartner has called the "most significant data theft ever."
A national retailer suffered a data breach late last year and thieves managed to steal debit card information,
Perry lost her personal information in a far smaller incident. She and six other people interviewed by CNET News.com whose details were being sold on the same Web site had one thing in common: They shopped at online electronics store JDM Infrastructure. But none of the victims knew their information had been stolen because JDM Infrastructure had never notified them, they said.
While John Marks, chief executive of JDM Infrastructure, acknowledged that the company knew about a computer break-in, he said no customer data was lost. The online electronics reseller doesn't store such information, he said. But regardless of who lost it, did Marks feel compelled to warn customers of the potential threat of identity theft?
"We did everything we we're supposed to do," Marks said.
Marks may well be right, but consumer advocates are alarmed by such attitudes.
"Companies who lose this kind of information owe it to their customers to take responsibility," said Christopher Goetcheus, spokesman for the
On the lawbooks
To understand the problem with disclosure laws around the U.S., California's SB 1386 is a good place to start, because most other state laws were patterned after it.
Passed in September 2002, the California law allows a merchant to stay quiet about a digital data breach if the information lost was encrypted. This could apply even if the "key" to unlock the encryption was also stolen, analysts said. In addition, the state law is unclear on the issue of a merchant's responsibility, if the company's technology provider, such as a Web hosting company, suffered an intrusion.
The law also requires notification to any resident "whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." But it offers no criteria for determining "reasonable" belief. Merchants are left to decide for themselves what is reasonable, legal experts said.
While California's laws allow plenty of leeway to merchants, consumer advocates say New York's state disclosure laws are a model for consumer protection. Passed in August 2005,
See more CNET content tagged:
merchant,
debit card,
credit card,
law,
electronics
1. 1 in 8 adults have had there identity stolen with that number
steadily rising.
2. It takes a Congressman in Ohio to pass a law in Iowa against
identity theft.
3. NewYork has the best consumer protection but might not very
well be enough due to Federal Guidelines.
What "in the pickles" is wrong with all three of those statements
above? I'll tell you what is wrong -- no consistency! Anywhere!
And we as a society are supposed to embrace a technology that
would allow us to simply hit up a web site, order our favorite
product or products, and see it in three days without ever
leaving the house. Mmmmn convenience!
Now that's a grandiose notion due to politician's and big
business who's sole purpose is to keep there clients in lieu of
money. How are we supposed to feel safe in cyberspace let alone
real space knowing that our data could be stolen from any one
of those big business like Amazon or Ebay.
The only people that are being saved is the business' selling the
product or service. They get to continue to keep there clients
and there clients money while leaving there clients to fend off
the thieves' aftermath.
FYI, server administrators are paid to ensure that servers are up
to date and patched. After all, that is how data is stolen and
servers hacked, un-patched programs that reside on a server. So
why shouldn't business' be made RESPONSIBLE for not patching
servers?
It is a known fact that exploits are taken and used against these
very companies to get to your data using readily available tool
from the net. Because these companies find it "expensive" in
some sorts to maintain the patches they just leave the servers
unsecured. In return making these companies easy targets for
hackers.
"I guess it's ok to pay your Network Administrator $100,000 a
year to replace keyboards. Personally I think his talent is useful
in other places, but what would I know (www.Tech01.net)?"
Where are the people in all of this? After all, we are trying to
protect the "People's" data. Here's a freebie for all you
politician's, especially Bush.
How about a Federal Law making ANYBODY's server that holds
ANY PERSON DATA of CLIENTS either POTENTIAL or CURRENT
report ANY breaches in the respected databases.
Here's a little bone to add to that:
If a server is breached it must also be reported to the FBI and
logged. Then if deammed the responsibily of the business was
at fault then a $75,000 fine be imposed on the company.
Gee, look at that, a commoner makes a one paragraph law that
makes sense and works across the board to ensure "The People
of the United States of America" are protected against such
crimes as Identity Theft as well as Cyber Theft.
~Justin
www.Tech01.net
1. 1 in 8 adults have had there identity stolen with that number
steadily rising.
2. It takes a Congressman in Ohio to pass a law in Iowa against
identity theft.
3. NewYork has the best consumer protection but might not very
well be enough due to Federal Guidelines.
What "in the pickles" is wrong with all three of those statements
above? I'll tell you what is wrong -- no consistency! Anywhere!
And we as a society are supposed to embrace a technology that
would allow us to simply hit up a web site, order our favorite
product or products, and see it in three days without ever
leaving the house. Mmmmn convenience!
Now that's a grandiose notion due to politician's and big
business who's sole purpose is to keep there clients in lieu of
money. How are we supposed to feel safe in cyberspace let alone
real space knowing that our data could be stolen from any one
of those big business like Amazon or Ebay.
The only people that are being saved is the business' selling the
product or service. They get to continue to keep there clients
and there clients money while leaving there clients to fend off
the thieves' aftermath.
FYI, server administrators are paid to ensure that servers are up
to date and patched. After all, that is how data is stolen and
servers hacked, un-patched programs that reside on a server. So
why shouldn't business' be made RESPONSIBLE for not patching
servers?
It is a known fact that exploits are taken and used against these
very companies to get to your data using readily available tool
from the net. Because these companies find it "expensive" in
some sorts to maintain the patches they just leave the servers
unsecured. In return making these companies easy targets for
hackers.
"I guess it's ok to pay your Network Administrator $100,000 a
year to replace keyboards. Personally I think his talent is useful
in other places, but what would I know (www.Tech01.net)?"
Where are the people in all of this? After all, we are trying to
protect the "People's" data. Here's a freebie for all you
politician's, especially Bush.
How about a Federal Law making ANYBODY's server that holds
ANY PERSON DATA of CLIENTS either POTENTIAL or CURRENT
report ANY breaches in the respected databases.
Here's a little bone to add to that:
If a server is breached it must also be reported to the FBI and
logged. Then if deammed the responsibily of the business was
at fault then a $75,000 fine be imposed on the company.
Gee, look at that, a commoner makes a one paragraph law that
makes sense and works across the board to ensure "The People
of the United States of America" are protected against such
crimes as Identity Theft as well as Cyber Theft.
~Justin
www.Tech01.net
Most private companies are too worried about customers and revenue to put in proper security and to perform checks and audits of that security.
Of the three large employers with commerce-based web sites I have worked for, only one would know if there was a breach.
One company, an austin-based promo products company, has had many questionable problems and never tells the customers it has about the problems. The whole company is run on pirated software and every exec has known about the problems and the priating for over 5 years.
Yet they continue to generate millions in revenue every year and they have Banks and Hospitals as a customer!
As an employee I cannot tell the customers or I will get fired and sued. Contacting government agencies does nothing, and even sending a list of the priated software to the BSA accomplishes nothing.
Any idiot can setup a web site and take money. There is nothing to compel them to manage security or software licenses. Its a very sad state. Use cash and do not buy online.
Most private companies are too worried about customers and revenue to put in proper security and to perform checks and audits of that security.
Of the three large employers with commerce-based web sites I have worked for, only one would know if there was a breach.
One company, an austin-based promo products company, has had many questionable problems and never tells the customers it has about the problems. The whole company is run on pirated software and every exec has known about the problems and the priating for over 5 years.
Yet they continue to generate millions in revenue every year and they have Banks and Hospitals as a customer!
As an employee I cannot tell the customers or I will get fired and sued. Contacting government agencies does nothing, and even sending a list of the priated software to the BSA accomplishes nothing.
Any idiot can setup a web site and take money. There is nothing to compel them to manage security or software licenses. Its a very sad state. Use cash and do not buy online.
But since in most corporations, we pay inflated salaries with similar large amounts of funds to their over inflated expense accounts(Jack's style) and share options, at the end of the day, there is no funds left in the kitty, for any form of data security!
Alas , you pay for what you get and get what you pay for! , but you can't get much security for peanuts!
Some choices in real life, can be very costly for some!
But since in most corporations, we pay inflated salaries with similar large amounts of funds to their over inflated expense accounts(Jack's style) and share options, at the end of the day, there is no funds left in the kitty, for any form of data security!
Alas , you pay for what you get and get what you pay for! , but you can't get much security for peanuts!
Some choices in real life, can be very costly for some!
Did you freeze or just put on a watch?
Did you freeze or just put on a watch?
But the problem as I see it here is that customer's PIN information is also stored online as well.
THAT INFORMATION FOLKS!!! is WHAT SHOULD NEVER BE STORED!!!
They claim they did every thing possible... but apparently that didn't include NOT storing the PIN number...
So if ya ask me... They DIDN'T do everything possible... either before (storing the PIN) OR afterwards (notifying their customer's of the breach).
Whether it's required by law or not is another issue!!! The common sense thing to do (laws or not) is to notify those whom are affected... which they didn't do!
So in my book... they're guilty on both accounts of NOT doing EVERYTHING possible in the PRE-BREACH as well as NOT doing EVERYTHING possible in the POST-BREACH!
Walt
But the problem as I see it here is that customer's PIN information is also stored online as well.
THAT INFORMATION FOLKS!!! is WHAT SHOULD NEVER BE STORED!!!
They claim they did every thing possible... but apparently that didn't include NOT storing the PIN number...
So if ya ask me... They DIDN'T do everything possible... either before (storing the PIN) OR afterwards (notifying their customer's of the breach).
Whether it's required by law or not is another issue!!! The common sense thing to do (laws or not) is to notify those whom are affected... which they didn't do!
So in my book... they're guilty on both accounts of NOT doing EVERYTHING possible in the PRE-BREACH as well as NOT doing EVERYTHING possible in the POST-BREACH!
Walt