[Dataloss] rant: Useless Compensation for Data Loss Incidents

David Metcalf dmetcalf at mcraemetcalf.com
Wed Jun 11 20:57:36 UTC 2008

I agree, but it is difficult to specify a concrete alternative that a court
could order these companies to provide.  The TJX settlement called for
credit monitoring, not because it was perfect, but rather because the
lawyers and plaintiffs' experts could not think of a better alternative that
the court might actually award.  Defense lawyers now tell their clients
that, based on this precedent, credit monitoring is all they are liable to
provide.  If a better response could be developed and approved by a court in
making a class action award, that would become the new "industry standard."


Any ideas?  Should credit monitoring be the standard for incidents like
Hannaford (involving Track 2 data), but require a higher level of protection
for incidents like BNY Mellon of U of U where social security numbers,
medical records or highly personal information is disclosed?



From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of MKEVHILL at aol.com
Sent: Wednesday, June 11, 2008 9:02 AM
To: lyger at attrition.org; dataloss at attrition.org
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents


Credit monitoring is the cheapest reactive measure, plain and simple.  And
without a doubt, its a false sense of security these "careless
organizations" are giving the effected individuals. 








Michael Hill 
Certified Identity Theft Risk Management Specialist
www.idtheft101.net <http://www.idtheft101.net/>  



In a message dated 6/11/2008 3:33:05 A.M. Eastern Daylight Time,
lyger at attrition.org writes:


Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho

If you have been the victim of a data loss incident, odds are you have 
received a letter from the careless organization that lost your 
information. These letters always offer apologies and sincere hope that 
your identity or personal information isn't abused. The recent BNY Mellon 
incident (which now stands at 4.5 million potential customers affected) 
resulted in customers receiving such a letter:


Notice that in return for having your personal information lost, they are 
offering free credit monitoring for 12 whole months! This seemingly 
generous offer has apparently become the standard business practice for 
acceptable compensation when your personal information is treated with 
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" 
credit monitoring product (despite no mention of that 'product' on the 
consumerinfo.com web page), which watches for changes to your credit 
reports from the three national credit reporting agencies in the United 
States (Experian, Equifax, TransUnion). If you are unlucky and get caught 
up in multiple data loss incidents, you may receive this "gracious 
compensation" many times over.

First, why is this type of reactive credit monitoring acceptable 
compensation? This seems to be another case of one business following 
another and... voila, we have an industry 'standard' that does little to 
serve the customer but does everything to serve businesses that want to 
look caring and "customer-centric" in the media.

Dataloss Mailing List (dataloss at attrition.org)

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!



Vote for your city's best dining and nightlife. City's Best 2008
<http://citysbest.aol.com?ncid=aolacg00050000000102> .

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080611/d676cb8b/attachment.html 

More information about the Dataloss mailing list