[Dataloss] confirming victims of data breaches?

DAIL, WILLARD A ADAIL at sunocoinc.com
Tue Jul 22 15:01:49 UTC 2008


Technically speaking, do you think most companies involved in a breach
perform triage on the consumers to determine who must be notified?
Personally, I do not think most companies have enough information to do
that.

I think some companies may make a conscious decision to break the law by
not reporting the incident at all (which is a different discussion in my
opinion), but most advice given by Privacy lawyers is to just notify
everyone and not to try to determine which state laws apply, and which
do not.  Also, you really do not want to get into the trap of trying to
determine actual risk to the consumer, as allowed by some breach
disclosure laws.  You will never make the right decision.

On a more technical level, at least in terms of payment cards (which is
my focus), we do not keep consumer information to correlate PAN's to
consumers.  Generally speaking, if we suffered a breach we would have a
list of PAN's and possibly expiration dates.  We'd provide that list to
our processor who would determine the issuers based on BIN range, and
notify the issuing banks.

At that point either the bank(s) would notify their customer that a
breach involving their card number had occurred, or if the bank(s)
wanted the merchant to foot the expense, the bank(s) would provide
customer contact information, and would probably want to see a copy of
the letter that went out.  Law enforcement, working with the attorneys
generals, would determine the schedule for notification.

Litigation would likely commence.


Sorry the process isn't more nefarious.


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Brad Putnam
Sent: Monday, July 21, 2008 6:50 PM
To: rshavell at identityforce.com; dataloss at attrition.org
Subject: Re: [Dataloss] confirming victims of data breaches?


Hi Rob;

I have to tell you, this is one of the best questions I've seen in
regard to helping consumers.  To my knowledge, there are zero laws that
compel a company to come clean upon verbal request of a client.
Obviously, it would be good for the individual consumer; however, it
could also be used nefariously.  Steal a DB, call and confirm the data
is good.  Your point is well taken and I need to think on it a bit...

I would love opinion on the subject, but I don't want to request
anything without the permission of Attrition folks to utilize their
list...

Lastly, this is one of the best managed mail lists I've been a party to.
Thank you Lyger and Co!

Best regards,
BP 

Brad Putnam
President and CEO
Digital Compliance, LLC
PO Box 792
Billings, MT. 59103
406-325-9737 Phone
406-325-9738 Fax
BPutnam at digitalcomply.com


This email communication may contain CONFIDENTIAL INFORMATION WHICH ALSO
MAY BE LEGALLY PRIVILEGED and is intended only for the use of the
intended recipients identified above.  If you are not the intended
recipient of this communication, you are hereby notified that any
unauthorized review, use, dissemination, distribution, downloading, or
copying of this communication is strictly prohibited.  If you have
received this communication in error, please immediately notify us by
reply email, delete the communication and destroy all copies.


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org]
On Behalf Of Rob Shavell
Sent: Monday, July 21, 2008 4:51 PM
To: dataloss at attrition.org
Subject: [Dataloss] confirming victims of data breaches?

hi all,

as notification laws proliferate, i'm wondering, w/out a notification
letter, can consumers themselves really confirm if they are part of a
breach?

in my experience, calling up a company directly to ask if you are
affected by a breach results in a canned response saying "did you get a
letter"? or "contact your credit card company"

do companies have any responsibility to tell those who may have NOT YET
received a notification (state doesn't require it, moved,
whatever) that they are indeed affected?  if not, doesn't this reality
counter the spirit of the laws and companies doing the right thing?

i understand that SSNbreach (and maybe others?) are trying to do
something about this. is there any way to empower consumers here?

rgds,
rob
___________________
Rob Shavell
Director of Compliance
IdentityForce
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.


More information about the Dataloss mailing list