<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="City"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue id="role_body" bottomMargin=7
leftmargin=7 topmargin=7 rightMargin=7>
<div class=Section1>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>I agree, but it is difficult to specify a concrete
alternative that a court could order these companies to provide. The TJX
settlement called for credit monitoring, not because it was perfect, but rather
because the lawyers and plaintiffs’ experts could not think of a better
alternative that the court might actually award. Defense lawyers now tell
their clients that, based on this precedent, credit monitoring is all they are
liable to provide. If a better response could be developed and approved
by a court in making a class action award, that would become the new “industry
standard.” <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Any ideas? Should credit monitoring be the standard
for incidents like Hannaford (involving Track 2 data), but require a higher
level of protection for incidents like BNY Mellon of U of U where social
security numbers, medical records or highly personal information is disclosed?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=3 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
dataloss-bounces@attrition.org [mailto:dataloss-bounces@attrition.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>MKEVHILL@aol.com<br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, June 11, 2008
9:02 AM<br>
<b><span style='font-weight:bold'>To:</span></b> lyger@attrition.org;
dataloss@attrition.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Dataloss] rant:
Useless Compensation for Data Loss Incidents</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'>Credit monitoring is the
cheapest reactive measure, plain and simple. And without a
doubt, its a false sense of security these "careless
organizations" are giving the effected individuals. <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'>Mike<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'>Michael Hill <br>
Certified Identity Theft Risk Management Specialist<br>
<a href="http://www.idtheft101.net/">www.idtheft101.net</a> <br>
404-216-3751<br>
<br>
<br>
<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'>In a message dated 6/11/2008 3:33:05 A.M.
Eastern Daylight Time, lyger@attrition.org writes:<o:p></o:p></span></font></p>
</div>
<blockquote style='border:none;border-left:solid blue 1.0pt;padding:0in 0in 0in 3.0pt;
margin-left:2.5pt;margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'><br>
http://attrition.org/security/rant/dl-compensation.html<br>
<br>
Wed Jun 11 03:38:35 EDT 2008<br>
Apacid, <st1:City w:st="on"><st1:place w:st="on">Jericho</st1:place></st1:City><br>
<br>
If you have been the victim of a data loss incident, odds are you have <br>
received a letter from the careless organization that lost your <br>
information. These letters always offer apologies and sincere hope that <br>
your identity or personal information isn't abused. The recent BNY Mellon <br>
incident (which now stands at 4.5 million potential customers affected) <br>
resulted in customers receiving such a letter:<br>
<br>
[.]<br>
<br>
Notice that in return for having your personal information lost, they are <br>
offering free credit monitoring for 12 whole months! This seemingly <br>
generous offer has apparently become the standard business practice for <br>
acceptable compensation when your personal information is treated with <br>
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" <br>
credit monitoring product (despite no mention of that 'product' on the <br>
consumerinfo.com web page), which watches for changes to your credit <br>
reports from the three national credit reporting agencies in the United <br>
States (Experian, Equifax, TransUnion). If you are unlucky and get caught <br>
up in multiple data loss incidents, you may receive this "gracious <br>
compensation" many times over.<br>
<br>
First, why is this type of reactive credit monitoring acceptable <br>
compensation? This seems to be another case of one business following <br>
another and... voila, we have an industry 'standard' that does little to <br>
serve the customer but does everything to serve businesses that want to <br>
look caring and "customer-centric" in the media.<br>
<br>
[...]<br>
_______________________________________________<br>
Dataloss Mailing List (dataloss@attrition.org)<br>
http://attrition.org/dataloss<br>
<br>
Tenable Network Security offers data leakage and compliance monitoring<br>
solutions for large and small networks. Scan your network and monitor your<br>
traffic to find the data needing protection before it leaks out!<br>
http://www.tenablesecurity.com/products/compliance.shtml<o:p></o:p></span></font></p>
</blockquote>
</div>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:black'> <o:p></o:p></span></font></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=2 color=black
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:black'><br>
<br>
<o:p></o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='margin-top:5.0pt;text-align:center'><font
size=2 color=black face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:black'>
<hr size=3 width="100%" align=center>
</span></font></div>
<p class=MsoNormal style='margin-top:5.0pt'><font size=2 color=black
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:black'>Vote
for your city's best dining and nightlife. <a
href="http://citysbest.aol.com?ncid=aolacg00050000000102" target="_blank"
title="http://citysbest.aol.com?ncid=aolacg00050000000102">City's Best 2008</a>.<o:p></o:p></span></font></p>
</div>
</div>
</body>
</html>