Shostack + Friends Blog Archive

 

Disclosure Laws

see-no-evil.jpgIn an article (“Credit card numbers reported stolen from R.I. state Web site“) about the Rhode Island breach, I found the following quotes:

The breach on Dec. 28 was detected during a routine security audit and reported to the state government the following day, Loring said. At the time, the company believed only eight credit cardholders were affected, she said.

NEI tightened security, Loring said, although she declined to describe the measures. She said the Web site is “absolutely safe” and the intrusion was reported to financial institutions.

The state did not tell consumers about the breach in December because the hacking appeared limited, Najarian said.

So let me get this straight…The breach was reported to financial institutions, but not consumers…The people who found the breach made several mistakes in their analysis. The people who found the breach couldn’t be bothered to tell eight citizens about what had happened.

Was there a question of why we don’t want a ‘no apparent risk’ clause in the laws?

(Little girl illustrating corporate strategy photo by Brndnprkns.)

3 comments on "Disclosure Laws"

  • Chris Walsh says:

    My prediction for 2006 is that one of these auditing outfits is going to get slammed with an errors and omissions suit over something like this.
    I doubt that any disclosure laws mandate reporting of the disclosure of partial account/CC numbers. I wonder if they left off the last four digits or something…

  • Lyal Collins says:

    Credit card contracts require the card scheme to be notified of any breach.
    afaik, no one wants to notify consumers becauase it damages the brand image of the bank and card scheme.

  • Adam says:

    Lyal, see Rhode Island Identity Theft Protection act of 2005 (H6191), which became law on 07/10/05. So, the “want” part isn’t all that relevant anymore.

Comments are closed.