Is That Legal?
In comments on Chris’s post “Nations Bank, 100,000 credit cards, breach at unnamed(!) processor,” OptionsScalper asks:
It is amazing that the unnamed processor remains unnamed (or do I misunderstand?). I think the risk to customers at this bank has not been reduced, i.e. card replacement is ineffective. How does one even go about measuring whether the current action (or inaction) by the bank is acceptable to customers if the risk is unknown?
I’d start not with acceptability to customers, but acceptability to a variety of States’ Attorneys General. The choice of keeping consumers in the dark is no longer legal in 21 states, and is no longer acceptable anywhere. If I was an unnamed processor, I’d sure be asking myself “Am I gonna end up like Choicepoint or am I gonna end up Cardsystem Solutions, sold for parts?”
The rules on disclosure, both legal and social, have changed. Companies must come clean about their errors.