CardSystems Settles For Slap On The Wrist

from the detect-a-pattern-yet? dept

CardSystems Solutions, the company behind the biggest-ever personal data leak, has settled with the FTC, and unsurprisingly, the penalties are pretty toothless. The FTC couldn't even levy a meaningless token fine, as it's done before, because of the law it said CardSystems broke, so all the company (which has since been bought out) has to do is implement a "comprehensive" security program and get independent audits every other year for the next 20 years. But what's comprehensive, and is there any enforcement action should the audits find deficiencies? With at least one court indicating the mere existence of a security policy is a reasonable enough measure for a company to avoid liability for data leaks, it's hard to take any comfort from the FTC's settlement. This stuff is a joke -- in the CardSystems case, where tens of millions of people's credit-card information was exposed, a judge ruled that Visa and Mastercard didn't even have to notify the 265,000 cardholders who had enough information stolen that it could be used fraudently because there was no "immediate threat of irreparable harm". This ignores the fact that the effects of identity theft can linger on for years, and merely serves to underline the point that for most companies, the fallout from data leaks is nothing more than an acceptable cost of doing business.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Mike, 24 Feb 2006 @ 12:36pm

    No Subject Given

    Porn!

    reply to this | link to this | view in chronology ]

  • identicon
    Jobe, 24 Feb 2006 @ 1:27pm

    What about my rights

    Like privacy, and not having to worry if some hacker got my credit card number.
    How about Congress passing some law to make it mandatory that if a company "leaks" credit card information, they are responsible for any unwanted charges that are accrued on it, or that the company has a "comprehensive" security program in place if the company needs to have your credit card number.

    Wishful thinking.

    reply to this | link to this | view in chronology ]

  • identicon
    emichan, 24 Feb 2006 @ 4:14pm

    No Subject Given

    It seems like these judges don't really realize how much harm a malicious person can do if they have your personal information.


    We'll just have to wait until one of these companies is brought before a judge who's had his/her information leaked. Then maybe the judge will have a better idea of just how much harm these types of leaks can cause.

    reply to this | link to this | view in chronology ]

  • identicon
    Warren A Hall, 13 Mar 2006 @ 8:54pm

    Security wrist slaps not enuf. .exe them

    Security wrist slaps not enuf. .exe them Any organization that loses usable backup information to an outside "party" should be liable for every penny of subsequent individual consumer out of pocket costs plus a liberal allowance for pain and suffering, and a seven year aggregation of costs covering all components of identity theft, with minimal required proof of guilt of the organization by an individual (see below), plus a fee for preparation of auditable expense and loss reports (at professional accountant's rate), plus interest on all claims; all of which is to be paid within five weeks. Callous indifference or rank laziness leaves an organization open to the above claim, due to the simple acts and slight additional effort that makes the backup tapes/media useless to practically any but the operations group. It is only they who have access to the master log of backups which provide the media i.d., encryption key i.d. and a log of the fields of data-set content by backup media i.d. and other sequences as well. How and why penalties should be severe: I/P Department must do the following No tape or other media will have data-set name, department name, or user name on the outside of the media. The encryption key must be changed for each dataset. The data of any set is to be striped to backup; do in a raid format if practical. The I/P Department may select any vendor for the backup control system, the Raid process, the encryption service, and other management services. All output is to be compressed, either by the Raid operation, or by the backup program, All data sets are to be encrypted with 4096 bit keys, The systems group not exempt from any of the above requirements; that includes source code, compiled/object code, script files, j.c.l./job streams, et al. The use of raid technology, encryption, and backup management have always been goals of I/P, not just blue-sky. With this proposal as a goad, none will have any excuse for non-compliance, and with the features outlined above, practically no one will be able to "break" the security to see so much as a recognizable digit or name. Warren Hall

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.