BreachExchange mailing list archives
Re: rant: Useless Compensation for Data Loss Incidents
From: "Nell Walton" <nellwal () yahoo com>
Date: Wed, 11 Jun 2008 21:14:30 -0400
Fines and other penalties by the federal and state governments. There is no 100% safe way to protect data, we all know this, but some companies lag on providing even the basics - and they should have to pay the price. As it is now the FTC doesn't do much as far as regulation goes - time for some official body to step up to the plate and start making these companies accountable outside of long running class action suits that just further bog down a court system that is already bogged down. The only people that are making any money out of these class action suits are the LAWYERS on both sides and they are making out like bandits. It's not in their interest to try to solve the ROOT of the problem. Herein lies the rub. _____ From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of David Metcalf Sent: Wednesday, June 11, 2008 4:58 PM To: MKEVHILL () aol com; lyger () attrition org; dataloss () attrition org Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents I agree, but it is difficult to specify a concrete alternative that a court could order these companies to provide. The TJX settlement called for credit monitoring, not because it was perfect, but rather because the lawyers and plaintiffs' experts could not think of a better alternative that the court might actually award. Defense lawyers now tell their clients that, based on this precedent, credit monitoring is all they are liable to provide. If a better response could be developed and approved by a court in making a class action award, that would become the new "industry standard." Any ideas? Should credit monitoring be the standard for incidents like Hannaford (involving Track 2 data), but require a higher level of protection for incidents like BNY Mellon of U of U where social security numbers, medical records or highly personal information is disclosed? _____ From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of MKEVHILL () aol com Sent: Wednesday, June 11, 2008 9:02 AM To: lyger () attrition org; dataloss () attrition org Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents Credit monitoring is the cheapest reactive measure, plain and simple. And without a doubt, its a false sense of security these "careless organizations" are giving the effected individuals. Mike Michael Hill Certified Identity Theft Risk Management Specialist www.idtheft101.net <http://www.idtheft101.net/> 404-216-3751 In a message dated 6/11/2008 3:33:05 A.M. Eastern Daylight Time, lyger () attrition org writes: http://attrition.org/security/rant/dl-compensation.html Wed Jun 11 03:38:35 EDT 2008 Apacid, Jericho If you have been the victim of a data loss incident, odds are you have received a letter from the careless organization that lost your information. These letters always offer apologies and sincere hope that your identity or personal information isn't abused. The recent BNY Mellon incident (which now stands at 4.5 million potential customers affected) resulted in customers receiving such a letter: [.] Notice that in return for having your personal information lost, they are offering free credit monitoring for 12 whole months! This seemingly generous offer has apparently become the standard business practice for acceptable compensation when your personal information is treated with carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" credit monitoring product (despite no mention of that 'product' on the consumerinfo.com web page), which watches for changes to your credit reports from the three national credit reporting agencies in the United States (Experian, Equifax, TransUnion). If you are unlucky and get caught up in multiple data loss incidents, you may receive this "gracious compensation" many times over. First, why is this type of reactive credit monitoring acceptable compensation? This seems to be another case of one business following another and... voila, we have an industry 'standard' that does little to serve the customer but does everything to serve businesses that want to look caring and "customer-centric" in the media. [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _____ Vote for your city's best dining and nightlife. City's <http://citysbest.aol.com?ncid=aolacg00050000000102> Best 2008.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- rant: Useless Compensation for Data Loss Incidents lyger (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents DAIL, WILLARD A (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents M Barnett - TIFRM (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Michael Hill, CITRMS (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Derek Rigsby (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Al Mac Wheel (Jun 12)
- Re: rant: Useless Compensation for Data Loss Incidents Michael Hill, CITRMS (Jun 11)
- <Possible follow-ups>
- Re: rant: Useless Compensation for Data Loss Incidents MKEVHILL (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents David Metcalf (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Nell Walton (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents David Metcalf (Jun 11)