Articles from last posting
Creator of evil greeting card on the run
Nasty teen behind bars
Security vendor "puts money where its mouth is"
Hurricane may expose victims to ID theft
Firefox browser not safe either
And what about the Mac?
UK CIO's mad at ISPs
Even the experts get scammed Wiggling out of US security breach laws
The latest developments in the CardSystems hack -up to 40 million credit and debit card accounts were exposed by the US payments processor (recently sold to Calif. based CyberSource)- bear close watching by Canadian regulators as they contemplate security breach reporting laws.
Canadians are currently bereft of meaningful legal protection against identity theft.
To date, the perpetrators of one of the biggest ever hacks remain at large.
The potential magnitude of the breach has brought tremendous heat on the various well-healed stakeholders, and testimony at recent US congessional hearings (i.e. testimony by the American Bankers Association lawyer, Oliver Ireland) make interesting viewing, as the lobbyists come out in force to attempt damage control.
Not so close shave for card companies
A lawyer bringing a class action suit arising from the breach brought an application under SB1386- the Californian security breach reporting law (copied by several US states) - for an order forcing Visa and Mastercard to notify Californians who might have been affected by the breach.
He failed. The presiding Judge appeared to make a rather liberal interpretation of the law, finding that there was no " emergency" - and no " immediate threat of irreparable injury" to consumers.
Disclosure rules come to naught
I do not recall either factor to be a requirement under the law. However, counsel for Mastercard apparently argued that the fact the case got huge publicity, and that the card companies issued a press release on the issue satisfied the requirements of the law.
Such a specious argument makes a mockery of the law, as many vulnerable consumers- with access to credit (endemic in the US, even amongst low income families- often aggressively targeted by the sector) are not regular newspaper readers, nor attuned to the niceties of locating press releases from the nations card companies.
It is clear to us, at least, that there has not been adequate notice to possibly impacted consumers under the law. The Judge found the law suit "vague" and imprecise. We would have hoped that he would have given the plaintiffs some leeway with such an important issue at stake, but he did not.
The card companies are undoubtedly elated.
They are also sore that member banks involved in the breach - those banks that actually issued the cards, and engaged CardSystems- are not stepping up to the plate. They also are not keen to have cards replaced- at a possible cost of 35-40 USD per card.
And they know that if consumers receive a scary breach notification in the mail, they may demand a new card.
Consumers respond to breach notifications
A recent fascinating survey shows how (badly) consumers react to poorly drafted breach notifications- a large number simply dump the bearer of such bad news.
So what to do?
Answer: head the matter off at the pass, and try to avoid consumers finding out about a breach and getting upset, and maybe dropping the provider entirely. A most unsettling, cynical but unsophisticated knee -jerk response from those who should know better.
The card companies also argued, disingenuously, that the zero liability rule for credit card fraud protects consumers "100%". Ergo- why bother with the pesky reporting law at all?
Of course, they do not draw attention to the fact that consumers who are victims of identity theft often have difficulty getting reimbursement from banks as thieves will spread their risk and hedge their bets by defrauding them at numerous institutions, including those with whom they do not have an existing, legitimate relationship- so the zero liability rule may not apply.
High tech industry sighs in relief- for now
Meanwhile, in an apparent 360, the main US IT lobbyist group- the IT Association of America (ITAA) has come out in favour of a national security breach law. However, it wants clearer guidance on when and how to report, and better definitions. It also wants existing state laws to be trumped by a new federal law. These suggestions may bear serious consideration, in light of these latest disquieting events.
It is also clear, however, that the ITAA hopes that its emphasis on breach notification laws will take the heat off software vendors- its constituency - for underlying software flaws that arguably cause the breaches in the first instance.
Wishful thinking
Although a cany ploy, it is unlikely to pull the wool over the eyes of the equally wily and powerful US financial services sector- no stranger to lobbying. Alas, everyone is jockying for position, and trying to ensure that the ultimate outcome does not unduly impact its sector.
Outcomes
But how will the poor consumer ultimately fare when the dust settles? Are we simply irrelevant in the fractious debate?
Maybe it is time to vote with our pocketbooks, and signal our disquiet. And reward those who do not unashamedly seek to do us harm?
Consumers unforgiving if personal data exposed
Hardly surprising news - at least to consumers- but a recent survey by EDS- conducted by Ipsos Reid- disclosed that 30 percent of consumers 'would close all accounts and move their business to another financial institution if their personal information was compromised'.
In light of our lead story above, perhaps this is a pertinent factor that banks and credit card companies ought to consider?
Michael Porter talking sense
Michael Porter is a Harvard Professor, the most famous business strategy guru on the planet, and a prolific author.
But unlike many self appointed business gurus, he generally talks (and writes) a lot of good sense.
During the Internet boom, he lost his lustre, as he was considered out of touch with the new economy, where everyone was encouraged to rush around like chickens without heads, chasing the next 'new new thing', fame and fortune, daft ideas, and generally spending money like drunken sailors.
Caught up with such euphoria, unimpeded by rationality, the boring business of defining long term business strategy seemed plain old fashioned. Not to mention hard to do. So it was generally considered that the painful, headfrying exercise was best avoided entirely.
But not any more.
Porter is back in fashion. As dot com businesses crashed and burnt and management at blue chip companies were caught with their collective hands in the till- all semblance of dignity and propriety thrown to the four winds- having a clue about what you are at in business is now considered a good idea.
In this interview with Porter in the September/October- Banking Strategies magazine online, he shares his thoughts on outsourcing mania -
‘If you’re laying off many functions to outside vendors, what’s your advantage? And he discusses the fragmented payment industry.
Well worth a read.
What has it got to do with security you may ask?
With all the M & A activity in the field right now- it behoves one to ask? What strategy goes there? Is there one, or is it just more 'bigger is better'?
To quote Confucious and Yoda: "An increase in gait does not invariably a smarter person make".
|
