[attrition] rant: Useless Compensation for Data Loss Incidents

lyger lyger at attrition.org
Wed Jun 11 07:29:31 UTC 2008


http://attrition.org/security/rant/dl-compensation.html

Wed Jun 11 03:38:35 EDT 2008

Apacid, Jericho

If you have been the victim of a data loss incident, odds are you have 
received a letter from the careless organization that lost your 
information. These letters always offer apologies and sincere hope that 
your identity or personal information isn't abused. The recent BNY Mellon 
incident (which now stands at 4.5 million potential customers affected) 
resulted in customers receiving such a letter:

[.]

Notice that in return for having your personal information lost, they are 
offering free credit monitoring for 12 whole months! This seemingly 
generous offer has apparently become the standard business practice for 
acceptable compensation when your personal information is treated with 
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" 
credit monitoring product (despite no mention of that 'product' on the 
consumerinfo.com web page), which watches for changes to your credit 
reports from the three national credit reporting agencies in the United 
States (Experian, Equifax, TransUnion). If you are unlucky and get caught 
up in multiple data loss incidents, you may receive this "gracious 
compensation" many times over.

First, why is this type of reactive credit monitoring acceptable 
compensation? This seems to be another case of one business following 
another and... voila, we have an industry 'standard' that does little to 
serve the customer but does everything to serve businesses that want to 
look caring and "customer-centric" in the media.

[...]


More information about the attrition mailing list