Are Breach Notification Laws Anything More Than Window Dressing?

from the fresh-paint-on-an-eyesore dept

Given how often credit-card data is leaked from retailers, payment processors or banks, most of us are familiar with the breach-notification letters card issuers send out — and many of us probably don’t pay a whole lot of attention to them, since they’re often followed by a new card for us to start using. These notifications are required in many states by law, but they’ve become so common, and provide so little useful information, that some people wonder if they serve any use at all. Yes, argues another blogger, mainly because he says the notifications provide consumers with information regarding the source of the breach, giving them extra warning to change any other card number they’ve used there, or the opportunity to no longer patronize a particular business. But is that really the case? In my experience, the breach notifications I’ve received have never provided any specific information about the source of a breach, and neither banks or credit-card companies have ever been willing to disclose a source. And if the breach occurs at a company like a payment processor, with which consumers have no direct contact, they can’t take their business elsewhere. For consumers, the notifications themselves may not help much, but they do have value in forcing companies that have lost data to disclose it to other players in the ecosystem. But the big risk of the notifications is if they’re viewed as a security solution in and of themselves, such as if thinking that the shame of having to disclose a breach will guilt companies into better security. That hasn’t worked, as the breaches continue unabated, so it’s high time to find some new and effective solutions.

Filed Under:

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Are Breach Notification Laws Anything More Than Window Dressing?”

Subscribe: RSS Leave a comment
R. Miles says:

Good ol' cash could be making a comeback!

That hasn’t worked, as the breaches continue unabated, so it’s high time to find some new and effective solutions.
After reading the story of the group who successfully cracked the encryption using several PlayStation 3 consoles, I’ve pretty much given up hope on any “effective” solution.

All solutions will break, in time. It’s a constant cat & mouse game, and one day, it’ll reach an impasse. I’m sure the costs to continue developing new solutions is taking its toll, especially on the consumer who ends up paying for it in the long run.

Cards are convenient, but I see a day when cash begins to make a comeback for local purchases as consumer trust in electronic transactions diminishes. How many times do you think consumers will tolerate having to receive new cards on every breach? They’ll tire of it eventually.

Meh. What can anyone do.

Steve R. (profile) says:

Another Marketing Ploy

When we receive these notices, we also get in the mail the sales pitch for signing-up for “identity theft protection”. I have also gotten phone calls, that I assume are related to marketing the identity theft protection product. I didn’t answer the phone, but got the vague voice mail requesting a call back concerning an “issue”.

TheStuipdOne says:

Proper Punishment

It seems logical to me that if a company loses my credit card information then they need to be punished and I need to be compensated. So they should be forced to pay off ALL the debt on ALL the cards they lost info on, and cover all the bank’s costs in replacing the cards.

To be honest not that much money for me cause I keep mine payed off, but that can be $10,000 or more for some people. If I assume an average of $500 per card and 60,000 lost cards we are talking 30 million dollars. A slap on the wrist to some big companies but definitely worth improving security.

Man from Atlanta says:

notifications no longer useful

I worked on a few breach responses over the last few years. When notification laws first came out, notifications were useful. Execs took their duties seriously. Recipients responded and reviewed their credit reports, wrote letters, etc. There was a reaction.

But even as long ago as two years ago, the public became too used to the notices. They became commonplace. As responders, we watched this and knew our responses were becoming less important.

The content of notices changed too, they became less useful. Companies figured out that the lessening furor did not require offering cheap credit monitoring, so they stopped offering it. Notification became a nuisance, not a moral duty. Steve R. is right, some businesses also began trying to turn breaches into profitable events!

Notification is no longer the guilt-tinged mea culpa it used to be. The notification laws no longer perform their intended function.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...