Are Breach Notification Laws Anything More Than Window Dressing?
from the fresh-paint-on-an-eyesore dept
Given how often credit-card data is leaked from retailers, payment processors or banks, most of us are familiar with the breach-notification letters card issuers send out — and many of us probably don’t pay a whole lot of attention to them, since they’re often followed by a new card for us to start using. These notifications are required in many states by law, but they’ve become so common, and provide so little useful information, that some people wonder if they serve any use at all. Yes, argues another blogger, mainly because he says the notifications provide consumers with information regarding the source of the breach, giving them extra warning to change any other card number they’ve used there, or the opportunity to no longer patronize a particular business. But is that really the case? In my experience, the breach notifications I’ve received have never provided any specific information about the source of a breach, and neither banks or credit-card companies have ever been willing to disclose a source. And if the breach occurs at a company like a payment processor, with which consumers have no direct contact, they can’t take their business elsewhere. For consumers, the notifications themselves may not help much, but they do have value in forcing companies that have lost data to disclose it to other players in the ecosystem. But the big risk of the notifications is if they’re viewed as a security solution in and of themselves, such as if thinking that the shame of having to disclose a breach will guilt companies into better security. That hasn’t worked, as the breaches continue unabated, so it’s high time to find some new and effective solutions.
Filed Under: breach notification
Comments on “Are Breach Notification Laws Anything More Than Window Dressing?”
Good ol' cash could be making a comeback!
That hasn’t worked, as the breaches continue unabated, so it’s high time to find some new and effective solutions.
After reading the story of the group who successfully cracked the encryption using several PlayStation 3 consoles, I’ve pretty much given up hope on any “effective” solution.
All solutions will break, in time. It’s a constant cat & mouse game, and one day, it’ll reach an impasse. I’m sure the costs to continue developing new solutions is taking its toll, especially on the consumer who ends up paying for it in the long run.
Cards are convenient, but I see a day when cash begins to make a comeback for local purchases as consumer trust in electronic transactions diminishes. How many times do you think consumers will tolerate having to receive new cards on every breach? They’ll tire of it eventually.
Meh. What can anyone do.
It's no big deal
until someone with influence is affected – then let the whining begin.
Another Marketing Ploy
When we receive these notices, we also get in the mail the sales pitch for signing-up for “identity theft protection”. I have also gotten phone calls, that I assume are related to marketing the identity theft protection product. I didn’t answer the phone, but got the vague voice mail requesting a call back concerning an “issue”.
It seems logical to me that if a company loses my credit card information then they need to be punished and I need to be compensated. So they should be forced to pay off ALL the debt on ALL the cards they lost info on, and cover all the bank’s costs in replacing the cards.
To be honest not that much money for me cause I keep mine payed off, but that can be $10,000 or more for some people. If I assume an average of $500 per card and 60,000 lost cards we are talking 30 million dollars. A slap on the wrist to some big companies but definitely worth improving security.
Re: Proper Punishment
no, I think there should be fines, but that is a bit prohibitive to smaller companies and could also wrongfully punish an unavoidable breach.
notifications no longer useful
I worked on a few breach responses over the last few years. When notification laws first came out, notifications were useful. Execs took their duties seriously. Recipients responded and reviewed their credit reports, wrote letters, etc. There was a reaction.
But even as long ago as two years ago, the public became too used to the notices. They became commonplace. As responders, we watched this and knew our responses were becoming less important.
The content of notices changed too, they became less useful. Companies figured out that the lessening furor did not require offering cheap credit monitoring, so they stopped offering it. Notification became a nuisance, not a moral duty. Steve R. is right, some businesses also began trying to turn breaches into profitable events!
Notification is no longer the guilt-tinged mea culpa it used to be. The notification laws no longer perform their intended function.