[Dataloss] confirming victims of data breaches?

Brad Putnam bputnam at digitalcomply.com
Mon Jul 21 23:50:25 UTC 2008


Hi Rob;

I have to tell you, this is one of the best questions I've seen in regard to
helping consumers.  To my knowledge, there are zero laws that compel a
company to come clean upon verbal request of a client.  Obviously, it would
be good for the individual consumer; however, it could also be used
nefariously.  Steal a DB, call and confirm the data is good.  Your point is
well taken and I need to think on it a bit...

I would love opinion on the subject, but I don't want to request anything
without the permission of Attrition folks to utilize their list...

Lastly, this is one of the best managed mail lists I've been a party to.
Thank you Lyger and Co!

Best regards,
BP  

Brad Putnam
President and CEO
Digital Compliance, LLC
PO Box 792 
Billings, MT. 59103
406-325-9737 Phone
406-325-9738 Fax
BPutnam at digitalcomply.com
 

This email communication may contain CONFIDENTIAL INFORMATION WHICH ALSO MAY
BE LEGALLY PRIVILEGED and is intended only for the use of the intended
recipients identified above.  If you are not the intended recipient of this
communication, you are hereby notified that any unauthorized review, use,
dissemination, distribution, downloading, or copying of this communication
is strictly prohibited.  If you have received this communication in error,
please immediately notify us by reply email, delete the communication and
destroy all copies.


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Rob Shavell
Sent: Monday, July 21, 2008 4:51 PM
To: dataloss at attrition.org
Subject: [Dataloss] confirming victims of data breaches?

hi all,

as notification laws proliferate, i'm wondering, w/out a notification
letter, can consumers themselves really confirm if they are part of a
breach?

in my experience, calling up a company directly to ask if you are
affected by a breach results in a canned response saying "did you get
a letter"? or "contact your credit card company"

do companies have any responsibility to tell those who may have NOT
YET received a notification (state doesn't require it, moved,
whatever) that they are indeed affected?  if not, doesn't this reality
counter the spirit of the laws and companies doing the right thing?

i understand that SSNbreach (and maybe others?) are trying to do
something about this. is there any way to empower consumers here?

rgds,
rob
___________________
Rob Shavell
Director of Compliance
IdentityForce
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



More information about the Dataloss mailing list