Are Breach Notification Laws Anything More Than Window Dressing?

from the fresh-paint-on-an-eyesore dept

Given how often credit-card data is leaked from retailers, payment processors or banks, most of us are familiar with the breach-notification letters card issuers send out -- and many of us probably don't pay a whole lot of attention to them, since they're often followed by a new card for us to start using. These notifications are required in many states by law, but they've become so common, and provide so little useful information, that some people wonder if they serve any use at all. Yes, argues another blogger, mainly because he says the notifications provide consumers with information regarding the source of the breach, giving them extra warning to change any other card number they've used there, or the opportunity to no longer patronize a particular business. But is that really the case? In my experience, the breach notifications I've received have never provided any specific information about the source of a breach, and neither banks or credit-card companies have ever been willing to disclose a source. And if the breach occurs at a company like a payment processor, with which consumers have no direct contact, they can't take their business elsewhere. For consumers, the notifications themselves may not help much, but they do have value in forcing companies that have lost data to disclose it to other players in the ecosystem. But the big risk of the notifications is if they're viewed as a security solution in and of themselves, such as if thinking that the shame of having to disclose a breach will guilt companies into better security. That hasn't worked, as the breaches continue unabated, so it's high time to find some new and effective solutions.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach notification


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    R. Miles, 12 Mar 2009 @ 4:07am

    Good ol' cash could be making a comeback!

    That hasn't worked, as the breaches continue unabated, so it's high time to find some new and effective solutions.
    After reading the story of the group who successfully cracked the encryption using several PlayStation 3 consoles, I've pretty much given up hope on any "effective" solution.

    All solutions will break, in time. It's a constant cat & mouse game, and one day, it'll reach an impasse. I'm sure the costs to continue developing new solutions is taking its toll, especially on the consumer who ends up paying for it in the long run.

    Cards are convenient, but I see a day when cash begins to make a comeback for local purchases as consumer trust in electronic transactions diminishes. How many times do you think consumers will tolerate having to receive new cards on every breach? They'll tire of it eventually.

    Meh. What can anyone do.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 12 Mar 2009 @ 6:22am

    It's no big deal

    until someone with influence is affected - then let the whining begin.

    link to this | view in thread ]

  3. icon
    Steve R. (profile), 12 Mar 2009 @ 6:48am

    Another Marketing Ploy

    When we receive these notices, we also get in the mail the sales pitch for signing-up for "identity theft protection". I have also gotten phone calls, that I assume are related to marketing the identity theft protection product. I didn't answer the phone, but got the vague voice mail requesting a call back concerning an "issue".

    link to this | view in thread ]

  4. identicon
    TheStuipdOne, 12 Mar 2009 @ 7:48am

    Proper Punishment

    It seems logical to me that if a company loses my credit card information then they need to be punished and I need to be compensated. So they should be forced to pay off ALL the debt on ALL the cards they lost info on, and cover all the bank's costs in replacing the cards.

    To be honest not that much money for me cause I keep mine payed off, but that can be $10,000 or more for some people. If I assume an average of $500 per card and 60,000 lost cards we are talking 30 million dollars. A slap on the wrist to some big companies but definitely worth improving security.

    link to this | view in thread ]

  5. identicon
    Man from Atlanta, 12 Mar 2009 @ 8:53am

    notifications no longer useful

    I worked on a few breach responses over the last few years. When notification laws first came out, notifications were useful. Execs took their duties seriously. Recipients responded and reviewed their credit reports, wrote letters, etc. There was a reaction.

    But even as long ago as two years ago, the public became too used to the notices. They became commonplace. As responders, we watched this and knew our responses were becoming less important.

    The content of notices changed too, they became less useful. Companies figured out that the lessening furor did not require offering cheap credit monitoring, so they stopped offering it. Notification became a nuisance, not a moral duty. Steve R. is right, some businesses also began trying to turn breaches into profitable events!

    Notification is no longer the guilt-tinged mea culpa it used to be. The notification laws no longer perform their intended function.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 12 Mar 2009 @ 11:08am

    Re: Proper Punishment

    no, I think there should be fines, but that is a bit prohibitive to smaller companies and could also wrongfully punish an unavoidable breach.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.