CardSystems Settles For Slap On The Wrist
from the detect-a-pattern-yet? dept
CardSystems Solutions, the company behind the biggest-ever personal data leak, has settled with the FTC, and unsurprisingly, the penalties are pretty toothless. The FTC couldn't even levy a meaningless token fine, as it's done before, because of the law it said CardSystems broke, so all the company (which has since been bought out) has to do is implement a "comprehensive" security program and get independent audits every other year for the next 20 years. But what's comprehensive, and is there any enforcement action should the audits find deficiencies? With at least one court indicating the mere existence of a security policy is a reasonable enough measure for a company to avoid liability for data leaks, it's hard to take any comfort from the FTC's settlement. This stuff is a joke -- in the CardSystems case, where tens of millions of people's credit-card information was exposed, a judge ruled that Visa and Mastercard didn't even have to notify the 265,000 cardholders who had enough information stolen that it could be used fraudently because there was no "immediate threat of irreparable harm". This ignores the fact that the effects of identity theft can linger on for years, and merely serves to underline the point that for most companies, the fallout from data leaks is nothing more than an acceptable cost of doing business.