CardSystems Settles For Slap On The Wrist

from the detect-a-pattern-yet? dept

CardSystems Solutions, the company behind the biggest-ever personal data leak, has settled with the FTC, and unsurprisingly, the penalties are pretty toothless. The FTC couldn’t even levy a meaningless token fine, as it’s done before, because of the law it said CardSystems broke, so all the company (which has since been bought out) has to do is implement a “comprehensive” security program and get independent audits every other year for the next 20 years. But what’s comprehensive, and is there any enforcement action should the audits find deficiencies? With at least one court indicating the mere existence of a security policy is a reasonable enough measure for a company to avoid liability for data leaks, it’s hard to take any comfort from the FTC’s settlement. This stuff is a joke — in the CardSystems case, where tens of millions of people’s credit-card information was exposed, a judge ruled that Visa and Mastercard didn’t even have to notify the 265,000 cardholders who had enough information stolen that it could be used fraudently because there was no “immediate threat of irreparable harm”. This ignores the fact that the effects of identity theft can linger on for years, and merely serves to underline the point that for most companies, the fallout from data leaks is nothing more than an acceptable cost of doing business.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “CardSystems Settles For Slap On The Wrist”

Subscribe: RSS Leave a comment
Jobe (user link) says:

What about my rights

Like privacy, and not having to worry if some hacker got my credit card number.
How about Congress passing some law to make it mandatory that if a company “leaks” credit card information, they are responsible for any unwanted charges that are accrued on it, or that the company has a “comprehensive” security program in place if the company needs to have your credit card number.

Wishful thinking.

emichan says:

No Subject Given

It seems like these judges don’t really realize how much harm a malicious person can do if they have your personal information.

We’ll just have to wait until one of these companies is brought before a judge who’s had his/her information leaked. Then maybe the judge will have a better idea of just how much harm these types of leaks can cause.

Warren A Hall says:

Security wrist slaps not enuf. .exe them

Security wrist slaps not enuf. .exe them

Any organization that loses usable backup information to an outside “party” should be liable for every penny of subsequent individual consumer out of pocket costs plus a liberal allowance for pain and suffering, and a seven year aggregation of costs covering all components of identity theft, with minimal required proof of guilt of the organization by an individual (see below), plus a fee for preparation of auditable expense and loss reports (at professional accountant’s rate), plus interest on all claims; all of which is to be paid within five weeks.

Callous indifference or rank laziness leaves an organization open to the above claim, due to the simple
acts and slight additional effort that makes the backup tapes/media useless to practically any but the operations group. It is only they who have access to the master log of backups which provide the media i.d., encryption key i.d. and a log of the fields of data-set content by backup media i.d. and other sequences as well.

How and why penalties should be severe:

I/P Department must do the following

No tape or other media will have data-set name, department name, or user name on the outside of the media. The encryption key must be changed for each dataset. The data of any set is to be striped to backup; do in a raid format if practical. The I/P Department may select any vendor for the backup control system, the Raid process, the encryption service, and other management services. All output is to be compressed, either by the Raid operation, or by the backup program, All data sets are to be encrypted with 4096 bit keys, The systems group not exempt from any of the above requirements; that includes source code, compiled/object code, script files, j.c.l./job streams, et al.

The use of raid technology, encryption, and backup management have always been goals of I/P, not just blue-sky. With this proposal as a goad, none will have any excuse for non-compliance, and with the features outlined above, practically no one will be able to “break” the security to see so much as a recognizable digit or name.

Warren Hall

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...