[Infowarrior] - Useless Compensation for Data Loss Incidents

Richard Forno rforno at infowarrior.org
Wed Jun 11 11:22:28 UTC 2008 

Useless Compensation for Data Loss Incidents
Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho
http://attrition.org/security/rant/dl-compensation.html

If you have been the victim of a data loss incident, odds are you have  
received a letter from the careless organization that lost your  
information. These letters always offer apologies and sincere hope  
that your identity or personal information isn't abused. The recent  
BNY Mellon incident (which now stands at 4.5 million potential  
customers affected) resulted in customers receiving such a letter:

Notice that in return for having your personal information lost, they  
are offering free credit monitoring for 12 whole months! This  
seemingly generous offer has apparently become the standard business  
practice for acceptable compensation when your personal information is  
treated with carelessness. BNY opted to go with ConsumerInfo.com's  
"Triple Alert" credit monitoring product (despite no mention of that  
'product' on the consumerinfo.com web page), which watches for changes  
to your credit reports from the three national credit reporting  
agencies in the United States (Experian, Equifax, TransUnion). If you  
are unlucky and get caught up in multiple data loss incidents, you may  
receive this "gracious compensation" many times over.

First, why is this type of reactive credit monitoring acceptable  
compensation? This seems to be another case of one business following  
another and... voila, we have an industry 'standard' that does little  
to serve the customer but does everything to serve businesses that  
want to look caring and "customer-centric" in the media.

Second, since this is hardly compensating customers, what better  
things could the money be used for? If you take Experian at face value  
and accept it is a US$60 value, that will pay for a nice steak dinner  
and bottle of wine to fuel grumbling about corporate irresponsibility,  
which is definitely a better use than redundant 'credit monitoring'  
that really does little for the customer. What if the company that  
lost that information were required to send each person affected US  
$60 in cash instead? Bank of NY Mellon would have to pay out 270  
million dollars, Hannaford would have to pay out 252 million, and TD  
Ameritrade would have to pay out 378 million. Wouldn't that be good  
incentive to implement stronger data security? Instead, businesses get  
out cheap by paying pennies on the dollar for ineffective and catch- 
ridden 'services' from companies that also profit heavily from having  
your information in the first place. If not that, companies should  
spend a fraction of those multi-million dollar amounts and pay for the  
institution of higher data security and a more thorough method for  
auditing their security. Imagine if any of those companies had  
budgeted US $100 million on data security the year before the breach.

Third, have you read the fine print to this generous credit  
monitoring? The monitoring in question consists of "daily" checks on  
your credit report in which they notify you of "key changes". If you  
get such a notification and suspect something is wrong, you must file  
a police report within 10 days of receiving the e-mail notification,  
report the suspected identity theft to their Fraud Resolution  
Department within 10 days of receiving the e-mail, place a fraud alert  
with Experian, Equifax and TransUnion within 10 days of receiving the  
e-mail notification, work with the Fraud Resolution Department to  
pursue all sources of reimbursement (so they don't have to pay you the  
guaranteed amount) and finally, pay out of pocket if you don't meet  
all the criteria on their list in section 4. So if you happen to be on  
vacation or without e-mail for 10 days, this monitoring is entirely  
worthless as they will do nothing else to proactively protect you from  
such abuse. All this for only US $4.95 a month!! Oh, they can also  
terminate this offer/agreement at any time at their sole and complete  
discretion...

Fourth, does this seem like a huge profit circle and/or conflict of  
interest? The companies that are there maintaining your credit history  
and score are in turn charging customers for this monitoring. If you  
are unlucky and get your information lost, you get this paid service  
for free for one year. If not, you pay this company to monitor the  
records they keep for suspicious activity because they wouldn't do it  
otherwise. They really care about the accuracy and security of your  
personal information, promise!

The simple truth is that offering limited credit monitoring for a  
heinous act of carelessness is no form of "compensation" to the  
affected customers. This desperate attempt to seem generous and caring  
is nothing more than a marketing ploy designed to appease customers  
that should otherwise be angry and looking to take their business  
elsewhere. It's time to expect and demand more from companies that  
lose your personal information, whether by theft, poor policies, gross  
negligence, or any combination of the above.

Copyright 2008 by Attrition.org. Permission is granted to quote,  
reprint or redistribute provided the text is not altered, and  
appropriate credit is given, if you are not a credit reporting agency.  
Any credit reporting agency, including Experian, Equifax and  
TransUnion must obtain licensing to quote, reprint or redistribute  
this article.

More information about the Infowarrior mailing list