Security News > 2008 > June > Useless Compensation for Data Loss Incidents
Useless Compensation for Data Loss Incidents Wed Jun 11 03:38:35 EDT 2008 Apacid, Jericho http://attrition.org/security/rant/dl-compensation.html If you have been the victim of a data loss incident, odds are you have received a letter from the careless organization that lost your information. These letters always offer apologies and sincere hope that your identity or personal information isn't abused. The recent BNY Mellon incident (which now stands at 4.5 million potential customers affected) resulted in customers receiving such a letter: Notice that in return for having your personal information lost, they are offering free credit monitoring for 12 whole months! This seemingly generous offer has apparently become the standard business practice for acceptable compensation when your personal information is treated with carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" credit monitoring product (despite no mention of that 'product' on the consumerinfo.com web page), which watches for changes to your credit reports from the three national credit reporting agencies in the United States (Experian, Equifax, TransUnion). If you are unlucky and get caught up in multiple data loss incidents, you may receive this "gracious compensation" many times over. First, why is this type of reactive credit monitoring acceptable compensation? This seems to be another case of one business following another and... voila, we have an industry 'standard' that does little to serve the customer but does everything to serve businesses that want to look caring and "customer-centric" in the media. Second, since this is hardly compensating customers, what better things could the money be used for? If you take Experian at face value and accept it is a US$60 value, that will pay for a nice steak dinner and bottle of wine to fuel grumbling about corporate irresponsibility, which is definitely a better use than redundant 'credit monitoring' that really does little for the customer. What if the company that lost that information were required to send each person affected US $60 in cash instead? Bank of NY Mellon would have to pay out 270 million dollars, Hannaford would have to pay out 252 million, and TD Ameritrade would have to pay out 378 million. Wouldn't that be good incentive to implement stronger data security? Instead, businesses get out cheap by paying pennies on the dollar for ineffective and catch- ridden 'services' from companies that also profit heavily from having your information in the first place. If not that, companies should spend a fraction of those multi-million dollar amounts and pay for the institution of higher data security and a more thorough method for auditing their security. Imagine if any of those companies had budgeted US $100 million on data security the year before the breach. Third, have you read the fine print to this generous credit monitoring? The monitoring in question consists of "daily" checks on your credit report in which they notify you of "key changes". If you get such a notification and suspect something is wrong, you must file a police report within 10 days of receiving the e-mail notification, report the suspected identity theft to their Fraud Resolution Department within 10 days of receiving the e-mail, place a fraud alert with Experian, Equifax and TransUnion within 10 days of receiving the e-mail notification, work with the Fraud Resolution Department to pursue all sources of reimbursement (so they don't have to pay you the guaranteed amount) and finally, pay out of pocket if you don't meet all the criteria on their list in section 4. So if you happen to be on vacation or without e-mail for 10 days, this monitoring is entirely worthless as they will do nothing else to proactively protect you from such abuse. All this for only US $4.95 a month!! Oh, they can also terminate this offer/agreement at any time at their sole and complete discretion... Fourth, does this seem like a huge profit circle and/or conflict of interest? The companies that are there maintaining your credit history and score are in turn charging customers for this monitoring. If you are unlucky and get your information lost, you get this paid service for free for one year. If not, you pay this company to monitor the records they keep for suspicious activity because they wouldn't do it otherwise. They really care about the accuracy and security of your personal information, promise! The simple truth is that offering limited credit monitoring for a heinous act of carelessness is no form of "compensation" to the affected customers. This desperate attempt to seem generous and caring is nothing more than a marketing ploy designed to appease customers that should otherwise be angry and looking to take their business elsewhere. It's time to expect and demand more from companies that lose your personal information, whether by theft, poor policies, gross negligence, or any combination of the above. Copyright 2008 by Attrition.org. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given, if you are not a credit reporting agency. Any credit reporting agency, including Experian, Equifax and TransUnion must obtain licensing to quote, reprint or redistribute this article. _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com