Shostack + Friends Blog Archive


The New Transparency

xray.jpgSometimes, we Americans forget how lucky we are to live in a country with 51 legislative bodies, all of which can pass laws which affect all of us. By sheer luck, some of those laws will not stink, and a few actually turn out to be useful, not jarringly out-of-tune with the gestalt, and not trampling of civil liberties.

One such example is the rise of 1386 style laws. There are now 35 of them, of which some stink, and some are good. What interests me most is the commentary surrounding the NationWide laptop loss. NatWest is a `Building Society,’ in the UK, which roughly maps to a credit union in the US. [Natwest is not Nationwide. Thanks, Richard!]

Note both the expectations, and the explicit admission that problems are being swept under the rug, in this BBC story:

Diane Gaston, of the National Consumer Council, told the programme she is angry customers were not told sooner.

“A three-month delay is appalling. People should be able to trust that if a problem has happened they will be told about it straight away.”

And why is that? The UK has no breach notice law, as of yet. Neither does the EU. Ms. Gaston is speaking of an ethical expectation, based on seeing change in the US. It would be my guess that she’s not even aware of the shift. In saying that, I mean no disrespect, only that no one noticed the absence of these notices, but now that they’re here, we would certainly notice their disappearance.
More from the BBC:

But Nationwide said there is no indication that data had been stolen and nobody has lost any money.

Chief executive Philip Williamson told BBC Five Live that he was “genuinely sorry” for the theft and any concern it had caused customers.

But, Barry Stamp, former director of CIFAS, the fraud prevention service, said it was unusual for an entire customer database to be stored on a laptop.

Mr Stamp, who is now joint managing director of, told the BBC: “On the one hand we should say hats off to Nationwide for actually admitting that one of these laptops has been stolen.

“We’ve seen cases like this almost every week at the moment, but on the other hand you have to ask why that information was contained on a laptop and why the security was lax at Nationwide in such a way that you could download the entire database to a laptop.

This was linked by Slashdot, whose lead includes:

This story raises a number of worrying questions: The theft happened three months ago, why has the news only just been made public?

Again, note the underlying assumption: breaches should be made public, and quickly. What a transformation 1386 has caused, around the world. From one little law in California.

Photo: Radiographica by B3ca.

2 comments on "The New Transparency"

  • Hi Adam.
    NatWest is a bank, part of the Royal Bank of Scotland, the fifth largest bank in the world.
    The Nationwide Building Society is the world’s largest building society.
    Two entirely different beasts.

  • Scribe says:

    The theft happened three months ago, why has the news only just been made public?
    My cynical answer to this (amongst other answers) is that we’re still figuring out how to “market” the idea of “trust” as data becomes both more fluid and more of an identity. Thus, marketing-wise, it’s obviously bad if customers find out their details have leaked before they’ve been ‘officially’ informed. Similarly, it’s also good to confirm that security is the tightest it’s ever been.
    The gray area comes when data might have been leaked, but the customer is, in all probability, quite safe. From one perspective, a ‘press release’ on this threatens to pierce the trustability of a company. On the other hand, being ‘open’ about breaches is a signal of honesty – a sign to the consumer that the company can be trusted to come clean in future.
    In my cyncial view, 3 months is the time taken to decide the way in which a press release should be constructed/handled, like a very rushed and somewhat forced advertising campaign.

Comments are closed.