[ISN] Useless Compensation for Data Loss Incidents

From: InfoSec News (alerts@private)
Date: Thu Jun 12 2008 - 01:33:44 PDT


Useless Compensation for Data Loss Incidents
Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho
http://attrition.org/security/rant/dl-compensation.html

If you have been the victim of a data loss incident, odds are you have 
received a letter from the careless organization that lost your 
information. These letters always offer apologies and sincere hope that 
your identity or personal information isn't abused. The recent BNY 
Mellon incident (which now stands at 4.5 million potential customers 
affected) resulted in customers receiving such a letter:

Notice that in return for having your personal information lost, they 
are offering free credit monitoring for 12 whole months! This seemingly 
generous offer has apparently become the standard business practice for 
acceptable compensation when your personal information is treated with 
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" 
credit monitoring product (despite no mention of that 'product' on the 
consumerinfo.com web page), which watches for changes to your credit 
reports from the three national credit reporting agencies in the United 
States (Experian, Equifax, TransUnion). If you are unlucky and get 
caught up in multiple data loss incidents, you may receive this 
"gracious compensation" many times over.

First, why is this type of reactive credit monitoring acceptable 
compensation? This seems to be another case of one business following 
another and... voila, we have an industry 'standard' that does little to 
serve the customer but does everything to serve businesses that want to 
look caring and "customer-centric" in the media.

Second, since this is hardly compensating customers, what better things 
could the money be used for? If you take Experian at face value and 
accept it is a US$60 value, that will pay for a nice steak dinner and 
bottle of wine to fuel grumbling about corporate irresponsibility, which 
is definitely a better use than redundant 'credit monitoring' that 
really does little for the customer. What if the company that lost that 
information were required to send each person affected US $60 in cash 
instead? Bank of NY Mellon would have to pay out 270 million dollars, 
Hannaford would have to pay out 252 million, and TD Ameritrade would 
have to pay out 378 million. Wouldn't that be good incentive to 
implement stronger data security? Instead, businesses get out cheap by 
paying pennies on the dollar for ineffective and catch- ridden 
'services' from companies that also profit heavily from having your 
information in the first place. If not that, companies should spend a 
fraction of those multi-million dollar amounts and pay for the 
institution of higher data security and a more thorough method for 
auditing their security. Imagine if any of those companies had budgeted 
US $100 million on data security the year before the breach.

Third, have you read the fine print to this generous credit monitoring? 
The monitoring in question consists of "daily" checks on your credit 
report in which they notify you of "key changes". If you get such a 
notification and suspect something is wrong, you must file a police 
report within 10 days of receiving the e-mail notification, report the 
suspected identity theft to their Fraud Resolution Department within 10 
days of receiving the e-mail, place a fraud alert with Experian, Equifax 
and TransUnion within 10 days of receiving the e-mail notification, work 
with the Fraud Resolution Department to pursue all sources of 
reimbursement (so they don't have to pay you the guaranteed amount) and 
finally, pay out of pocket if you don't meet all the criteria on their 
list in section 4. So if you happen to be on vacation or without e-mail 
for 10 days, this monitoring is entirely worthless as they will do 
nothing else to proactively protect you from such abuse. All this for 
only US $4.95 a month!! Oh, they can also terminate this offer/agreement 
at any time at their sole and complete discretion...

Fourth, does this seem like a huge profit circle and/or conflict of 
interest? The companies that are there maintaining your credit history 
and score are in turn charging customers for this monitoring. If you are 
unlucky and get your information lost, you get this paid service for 
free for one year. If not, you pay this company to monitor the records 
they keep for suspicious activity because they wouldn't do it otherwise. 
They really care about the accuracy and security of your personal 
information, promise!

The simple truth is that offering limited credit monitoring for a 
heinous act of carelessness is no form of "compensation" to the affected 
customers. This desperate attempt to seem generous and caring is nothing 
more than a marketing ploy designed to appease customers that should 
otherwise be angry and looking to take their business elsewhere. It's 
time to expect and demand more from companies that lose your personal 
information, whether by theft, poor policies, gross negligence, or any 
combination of the above.

Copyright 2008 by Attrition.org. Permission is granted to quote, reprint 
or redistribute provided the text is not altered, and appropriate credit 
is given, if you are not a credit reporting agency. Any credit reporting 
agency, including Experian, Equifax and TransUnion must obtain licensing 
to quote, reprint or redistribute this article.


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jun 12 2008 - 01:39:10 PDT