<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:st1 =
"urn:schemas-microsoft-com:office:smarttags"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16674" name=GENERATOR><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
..shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]--><o:SmartTagType name="place"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><o:SmartTagType
name="City"
namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><!--[if !mso]>
<STYLE>st1\:* {
BEHAVIOR: url(#default#ieooui)
}
</STYLE>
<![endif]-->
<STYLE>@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-reply
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=EN-US id=role_body bottomMargin=7 vLink=blue link=blue leftMargin=7
topMargin=7 rightMargin=7>
<DIV dir=ltr align=left><SPAN class=046570801-12062008><FONT face=Arial
color=#0000ff size=2>Fines and other penalties by the federal and state
governments. There is no 100% safe way to protect data, we all know this,
but some companies lag on providing even the basics - and they should have to
pay the price. As it is now the FTC doesn't do much as far as regulation
goes - time for some official body to step up to the plate and start making
these companies accountable outside of long running class action suits that just
further bog down a court system that is already bogged down. The only
people that are making any money out of these class action suits are the LAWYERS
on both sides and they are making out like bandits. It's not in their
interest to try to solve the ROOT of the problem. Herein lies the
rub.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> dataloss-bounces@attrition.org
[mailto:dataloss-bounces@attrition.org] <B>On Behalf Of </B>David
Metcalf<BR><B>Sent:</B> Wednesday, June 11, 2008 4:58 PM<BR><B>To:</B>
MKEVHILL@aol.com; lyger@attrition.org; dataloss@attrition.org<BR><B>Subject:</B>
Re: [Dataloss] rant: Useless Compensation for Data Loss
Incidents<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: Arial">I agree, but it is difficult to
specify a concrete alternative that a court could order these companies to
provide. The TJX settlement called for credit monitoring, not because it
was perfect, but rather because the lawyers and plaintiffs’ experts could not
think of a better alternative that the court might actually award. Defense
lawyers now tell their clients that, based on this precedent, credit monitoring
is all they are liable to provide. If a better response could be developed
and approved by a court in making a class action award, that would become the
new “industry standard.” <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: Arial">Any ideas? Should credit
monitoring be the standard for incidents like Hannaford (involving Track 2
data), but require a higher level of protection for incidents like BNY Mellon of
U of U where social security numbers, medical records or highly personal
information is disclosed?<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=3><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<DIV>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT
face="Times New Roman" size=3><SPAN style="FONT-SIZE: 12pt">
<HR tabIndex=-1 align=center width="100%" SIZE=3>
</SPAN></FONT></DIV>
<P class=MsoNormal><B><FONT face=Tahoma size=2><SPAN
style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT
face=Tahoma size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">
dataloss-bounces@attrition.org [mailto:dataloss-bounces@attrition.org] <B><SPAN
style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>MKEVHILL@aol.com<BR><B><SPAN
style="FONT-WEIGHT: bold">Sent:</SPAN></B> Wednesday, June 11, 2008 9:02
AM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> lyger@attrition.org;
dataloss@attrition.org<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B>
Re: [Dataloss] rant: Useless Compensation for Data Loss
Incidents</SPAN></FONT><o:p></o:p></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" size=3><SPAN
style="FONT-SIZE: 12pt"><o:p> </o:p></SPAN></FONT></P>
<DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial">Credit monitoring is
the cheapest reactive measure, plain and simple. And without a
doubt, its a false sense of security these "careless organizations"
are giving the effected individuals. <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial">Mike<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial">Michael Hill
<BR>Certified Identity Theft Risk Management Specialist<BR><A
href="http://www.idtheft101.net/">www.idtheft101.net</A>
<BR>404-216-3751<BR><BR><BR><o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial">In a message dated
6/11/2008 3:33:05 A.M. Eastern Daylight Time, lyger@attrition.org
writes:<o:p></o:p></SPAN></FONT></P></DIV>
<BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; MARGIN-TOP: 5pt; PADDING-LEFT: 3pt; MARGIN-BOTTOM: 5pt; PADDING-BOTTOM: 0in; MARGIN-LEFT: 2.5pt; BORDER-LEFT: blue 1pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"><BR>http://attrition.org/security/rant/dl-compensation.html<BR><BR>Wed
Jun 11 03:38:35 EDT 2008<BR>Apacid, <st1:City w:st="on"><st1:place
w:st="on">Jericho</st1:place></st1:City><BR><BR>If you have been the victim of
a data loss incident, odds are you have <BR>received a letter from the
careless organization that lost your <BR>information. These letters always
offer apologies and sincere hope that <BR>your identity or personal
information isn't abused. The recent BNY Mellon <BR>incident (which now stands
at 4.5 million potential customers affected) <BR>resulted in customers
receiving such a letter:<BR><BR>[.]<BR><BR>Notice that in return for having
your personal information lost, they are <BR>offering free credit monitoring
for 12 whole months! This seemingly <BR>generous offer has apparently become
the standard business practice for <BR>acceptable compensation when your
personal information is treated with <BR>carelessness. BNY opted to go with
ConsumerInfo.com's "Triple Alert" <BR>credit monitoring product (despite no
mention of that 'product' on the <BR>consumerinfo.com web page), which watches
for changes to your credit <BR>reports from the three national credit
reporting agencies in the United <BR>States (Experian, Equifax, TransUnion).
If you are unlucky and get caught <BR>up in multiple data loss incidents, you
may receive this "gracious <BR>compensation" many times over.<BR><BR>First,
why is this type of reactive credit monitoring acceptable <BR>compensation?
This seems to be another case of one business following <BR>another and...
voila, we have an industry 'standard' that does little to <BR>serve the
customer but does everything to serve businesses that want to <BR>look caring
and "customer-centric" in the
media.<BR><BR>[...]<BR>_______________________________________________<BR>Dataloss
Mailing List
(dataloss@attrition.org)<BR>http://attrition.org/dataloss<BR><BR>Tenable
Network Security offers data leakage and compliance monitoring<BR>solutions
for large and small networks. Scan your network and monitor your<BR>traffic to
find the data needing protection before it leaks
out!<BR>http://www.tenablesecurity.com/products/compliance.shtml<o:p></o:p></SPAN></FONT></P></BLOCKQUOTE></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> <o:p></o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><FONT face=Arial color=black
size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"><BR><BR><o:p></o:p></SPAN></FONT></P>
<DIV>
<DIV class=MsoNormal style="MARGIN-TOP: 5pt; TEXT-ALIGN: center"
align=center><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial">
<HR align=center width="100%" SIZE=3>
</SPAN></FONT></DIV>
<P class=MsoNormal style="MARGIN-TOP: 5pt"><FONT face=Arial color=black
size=2><SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial">Vote for
your city's best dining and nightlife. <A
title=http://citysbest.aol.com?ncid=aolacg00050000000102
href="http://citysbest.aol.com?ncid=aolacg00050000000102" target=_blank>City's
Best 2008</A>.<o:p></o:p></SPAN></FONT></P></DIV></DIV></BODY></HTML>