[Dataloss] rant: Useless Compensation for Data Loss Incidents

Nell Walton nellwal at yahoo.com
Thu Jun 12 01:14:30 UTC 2008 

Fines and other penalties by the federal and state governments.  There is no
100% safe way to protect data, we all know this, but some companies lag on
providing even the basics - and they should have to pay the price.  As it is
now the FTC doesn't do much as far as regulation goes - time for some
official body to step up to the plate and start making these companies
accountable outside of long running class action suits that just further bog
down a court system that is already bogged down.  The only people that are
making any money out of these class action suits are the LAWYERS on both
sides and they are making out like bandits.  It's not in their interest to
try to solve the ROOT of the problem.   Herein lies the rub.

  _____  

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of David Metcalf
Sent: Wednesday, June 11, 2008 4:58 PM
To: MKEVHILL at aol.com; lyger at attrition.org; dataloss at attrition.org
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents



I agree, but it is difficult to specify a concrete alternative that a court
could order these companies to provide.  The TJX settlement called for
credit monitoring, not because it was perfect, but rather because the
lawyers and plaintiffs' experts could not think of a better alternative that
the court might actually award.  Defense lawyers now tell their clients
that, based on this precedent, credit monitoring is all they are liable to
provide.  If a better response could be developed and approved by a court in
making a class action award, that would become the new "industry standard."


 

Any ideas?  Should credit monitoring be the standard for incidents like
Hannaford (involving Track 2 data), but require a higher level of protection
for incidents like BNY Mellon of U of U where social security numbers,
medical records or highly personal information is disclosed?

 

  _____  

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of MKEVHILL at aol.com
Sent: Wednesday, June 11, 2008 9:02 AM
To: lyger at attrition.org; dataloss at attrition.org
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents

 

Credit monitoring is the cheapest reactive measure, plain and simple.  And
without a doubt, its a false sense of security these "careless
organizations" are giving the effected individuals. 

 

 

 

 

Mike

 

 

Michael Hill 
Certified Identity Theft Risk Management Specialist
www.idtheft101.net <http://www.idtheft101.net/>  
404-216-3751




 

 

In a message dated 6/11/2008 3:33:05 A.M. Eastern Daylight Time,
lyger at attrition.org writes:


http://attrition.org/security/rant/dl-compensation.html

Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho

If you have been the victim of a data loss incident, odds are you have 
received a letter from the careless organization that lost your 
information. These letters always offer apologies and sincere hope that 
your identity or personal information isn't abused. The recent BNY Mellon 
incident (which now stands at 4.5 million potential customers affected) 
resulted in customers receiving such a letter:

[.]

Notice that in return for having your personal information lost, they are 
offering free credit monitoring for 12 whole months! This seemingly 
generous offer has apparently become the standard business practice for 
acceptable compensation when your personal information is treated with 
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" 
credit monitoring product (despite no mention of that 'product' on the 
consumerinfo.com web page), which watches for changes to your credit 
reports from the three national credit reporting agencies in the United 
States (Experian, Equifax, TransUnion). If you are unlucky and get caught 
up in multiple data loss incidents, you may receive this "gracious 
compensation" many times over.

First, why is this type of reactive credit monitoring acceptable 
compensation? This seems to be another case of one business following 
another and... voila, we have an industry 'standard' that does little to 
serve the customer but does everything to serve businesses that want to 
look caring and "customer-centric" in the media.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

 





  _____  

Vote for your city's best dining and nightlife. City's
<http://citysbest.aol.com?ncid=aolacg00050000000102> Best 2008.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080611/94ebfbef/attachment.html

More information about the Dataloss mailing list