Are Breach Notification Laws Anything More Than Window Dressing?
from the fresh-paint-on-an-eyesore dept
Given how often credit-card data is leaked from retailers, payment processors or banks, most of us are familiar with the breach-notification letters card issuers send out -- and many of us probably don't pay a whole lot of attention to them, since they're often followed by a new card for us to start using. These notifications are required in many states by law, but they've become so common, and provide so little useful information, that some people wonder if they serve any use at all. Yes, argues another blogger, mainly because he says the notifications provide consumers with information regarding the source of the breach, giving them extra warning to change any other card number they've used there, or the opportunity to no longer patronize a particular business. But is that really the case? In my experience, the breach notifications I've received have never provided any specific information about the source of a breach, and neither banks or credit-card companies have ever been willing to disclose a source. And if the breach occurs at a company like a payment processor, with which consumers have no direct contact, they can't take their business elsewhere. For consumers, the notifications themselves may not help much, but they do have value in forcing companies that have lost data to disclose it to other players in the ecosystem. But the big risk of the notifications is if they're viewed as a security solution in and of themselves, such as if thinking that the shame of having to disclose a breach will guilt companies into better security. That hasn't worked, as the breaches continue unabated, so it's high time to find some new and effective solutions.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breach notification
Reader Comments
Subscribe: RSS
View by: Time | Thread
Good ol' cash could be making a comeback!
After reading the story of the group who successfully cracked the encryption using several PlayStation 3 consoles, I've pretty much given up hope on any "effective" solution.
All solutions will break, in time. It's a constant cat & mouse game, and one day, it'll reach an impasse. I'm sure the costs to continue developing new solutions is taking its toll, especially on the consumer who ends up paying for it in the long run.
Cards are convenient, but I see a day when cash begins to make a comeback for local purchases as consumer trust in electronic transactions diminishes. How many times do you think consumers will tolerate having to receive new cards on every breach? They'll tire of it eventually.
Meh. What can anyone do.
[ link to this | view in chronology ]
It's no big deal
[ link to this | view in chronology ]
Another Marketing Ploy
[ link to this | view in chronology ]
Proper Punishment
To be honest not that much money for me cause I keep mine payed off, but that can be $10,000 or more for some people. If I assume an average of $500 per card and 60,000 lost cards we are talking 30 million dollars. A slap on the wrist to some big companies but definitely worth improving security.
[ link to this | view in chronology ]
Re: Proper Punishment
[ link to this | view in chronology ]
notifications no longer useful
But even as long ago as two years ago, the public became too used to the notices. They became commonplace. As responders, we watched this and knew our responses were becoming less important.
The content of notices changed too, they became less useful. Companies figured out that the lessening furor did not require offering cheap credit monitoring, so they stopped offering it. Notification became a nuisance, not a moral duty. Steve R. is right, some businesses also began trying to turn breaches into profitable events!
Notification is no longer the guilt-tinged mea culpa it used to be. The notification laws no longer perform their intended function.
[ link to this | view in chronology ]