March 29, 2006 4:00 AM PST

Suffering in silence with data leaks

(continued from previous page)

"Disclosure shall be made in the most expedient time possible and without unreasonable delay," the law reads.

But New York may have to yield to federal regulation that offers consumers even fewer rights to demand notification about data leaks, should legislation being considered by Congress become law, said Rep. Barney Frank, the senior Democrat on the House financial services committee.

"Not exposing these companies violates every good conservative principle of law enforcement."
--Barney Frank, senior Democrat, House financial services committee

Some of the bills under consideration would give companies greater latitude in deciding when to report the loss of customer information, and would also restrict the right of consumers to freeze their bank accounts should their personal details be stolen, Frank said.

"The whole thing is ridiculous," said Frank, who argues that states should be allowed to set their own disclosure laws. "Not exposing these companies violates every good conservative principle of law enforcement, which says that the person who does the wrong is the one who must pay the price."

Certainly, some merchants have spoken up about losing customer data. Wal-Mart Stores issued a press release after thieves obtained personal information from an undisclosed number of Sam's Club customers in October.

But when other companies hesitate to inform customers, they are only helping cyberbandits, argues CardCops.com's Clements, who has been involved in exposing more than 500 illegal digital intrusions. Time is of the essence when it comes to catching thieves and minimizing the damage to consumers, he said.

"Keeping a data theft under wraps only increases the chance for hackers to steal a consumer's identity," Clements said. "The longer you wait, the more time you give hackers to work. If people are informed, they at least have a chance to protect themselves."

Hours before a reporter informed Perry on Feb. 17 that her card was for sale on the Web, she received a call from Visa informing her that it had flagged several suspicious charges. She confirmed that the charges were indeed unauthorized.

The hacker who stole her information has a reputation for dealing in "cherry cards," meaning his card information is usually valid and valuable. That thieves can so brazenly sell such data is troubling to many, given that only about 17 percent of the country's largest 230 merchants meet security standards required by the major credit card companies, according to Visa.

"The whole thing made me feel very vulnerable," said Perry, who put a 90-day hold on her credit to help thwart any attempts to steal her identity. "Before I go shopping again, I'm going to look for a security symbol, something that tells me the site's security has been approved."

Previous page
Page 1 | 2

See more CNET content tagged:
merchant, debit card, credit card, law, California

16 comments

Join the conversation!
Add your comment
Where is the consumer protection in any of this?
I would like to inform all the read this the year is 2006.

1. 1 in 8 adults have had there identity stolen with that number
steadily rising.

2. It takes a Congressman in Ohio to pass a law in Iowa against
identity theft.

3. NewYork has the best consumer protection but might not very
well be enough due to Federal Guidelines.

What "in the pickles" is wrong with all three of those statements
above? I'll tell you what is wrong -- no consistency! Anywhere!

And we as a society are supposed to embrace a technology that
would allow us to simply hit up a web site, order our favorite
product or products, and see it in three days without ever
leaving the house. Mmmmn convenience!

Now that's a grandiose notion due to politician's and big
business who's sole purpose is to keep there clients in lieu of
money. How are we supposed to feel safe in cyberspace let alone
real space knowing that our data could be stolen from any one
of those big business like Amazon or Ebay.

The only people that are being saved is the business' selling the
product or service. They get to continue to keep there clients
and there clients money while leaving there clients to fend off
the thieves' aftermath.

FYI, server administrators are paid to ensure that servers are up
to date and patched. After all, that is how data is stolen and
servers hacked, un-patched programs that reside on a server. So
why shouldn't business' be made RESPONSIBLE for not patching
servers?

It is a known fact that exploits are taken and used against these
very companies to get to your data using readily available tool
from the net. Because these companies find it "expensive" in
some sorts to maintain the patches they just leave the servers
unsecured. In return making these companies easy targets for
hackers.

"I guess it's ok to pay your Network Administrator $100,000 a
year to replace keyboards. Personally I think his talent is useful
in other places, but what would I know (www.Tech01.net)?"

Where are the people in all of this? After all, we are trying to
protect the "People's" data. Here's a freebie for all you
politician's, especially Bush.

How about a Federal Law making ANYBODY's server that holds
ANY PERSON DATA of CLIENTS either POTENTIAL or CURRENT
report ANY breaches in the respected databases.

Here's a little bone to add to that:
If a server is breached it must also be reported to the FBI and
logged. Then if deammed the responsibily of the business was
at fault then a $75,000 fine be imposed on the company.

Gee, look at that, a commoner makes a one paragraph law that
makes sense and works across the board to ensure "The People
of the United States of America" are protected against such
crimes as Identity Theft as well as Cyber Theft.

~Justin
www.Tech01.net
Posted by OneWithTech (196 comments )
Reply Link Flag
Where is the consumer protection in any of this?
I would like to inform all the read this the year is 2006.

1. 1 in 8 adults have had there identity stolen with that number
steadily rising.

2. It takes a Congressman in Ohio to pass a law in Iowa against
identity theft.

3. NewYork has the best consumer protection but might not very
well be enough due to Federal Guidelines.

What "in the pickles" is wrong with all three of those statements
above? I'll tell you what is wrong -- no consistency! Anywhere!

And we as a society are supposed to embrace a technology that
would allow us to simply hit up a web site, order our favorite
product or products, and see it in three days without ever
leaving the house. Mmmmn convenience!

Now that's a grandiose notion due to politician's and big
business who's sole purpose is to keep there clients in lieu of
money. How are we supposed to feel safe in cyberspace let alone
real space knowing that our data could be stolen from any one
of those big business like Amazon or Ebay.

The only people that are being saved is the business' selling the
product or service. They get to continue to keep there clients
and there clients money while leaving there clients to fend off
the thieves' aftermath.

FYI, server administrators are paid to ensure that servers are up
to date and patched. After all, that is how data is stolen and
servers hacked, un-patched programs that reside on a server. So
why shouldn't business' be made RESPONSIBLE for not patching
servers?

It is a known fact that exploits are taken and used against these
very companies to get to your data using readily available tool
from the net. Because these companies find it "expensive" in
some sorts to maintain the patches they just leave the servers
unsecured. In return making these companies easy targets for
hackers.

"I guess it's ok to pay your Network Administrator $100,000 a
year to replace keyboards. Personally I think his talent is useful
in other places, but what would I know (www.Tech01.net)?"

Where are the people in all of this? After all, we are trying to
protect the "People's" data. Here's a freebie for all you
politician's, especially Bush.

How about a Federal Law making ANYBODY's server that holds
ANY PERSON DATA of CLIENTS either POTENTIAL or CURRENT
report ANY breaches in the respected databases.

Here's a little bone to add to that:
If a server is breached it must also be reported to the FBI and
logged. Then if deammed the responsibily of the business was
at fault then a $75,000 fine be imposed on the company.

Gee, look at that, a commoner makes a one paragraph law that
makes sense and works across the board to ensure "The People
of the United States of America" are protected against such
crimes as Identity Theft as well as Cyber Theft.

~Justin
www.Tech01.net
Posted by OneWithTech (196 comments )
Reply Link Flag
Disgusting. STOP SHOPPING ONLINE is the only asnwer
Until merchants can prove our information is safe. Right now, I always have a feeling that nothing is safe.
Posted by ordaj (338 comments )
Reply Link Flag
Disgusting. STOP SHOPPING ONLINE is the only asnwer
Until merchants can prove our information is safe. Right now, I always have a feeling that nothing is safe.
Posted by ordaj (338 comments )
Reply Link Flag
Breaches occur often. Companies do not know
There are probably 2 to 3 more time the breaches than we are ever told about.
Most private companies are too worried about customers and revenue to put in proper security and to perform checks and audits of that security.
Of the three large employers with commerce-based web sites I have worked for, only one would know if there was a breach.
One company, an austin-based promo products company, has had many questionable problems and never tells the customers it has about the problems. The whole company is run on pirated software and every exec has known about the problems and the priating for over 5 years.
Yet they continue to generate millions in revenue every year and they have Banks and Hospitals as a customer!
As an employee I cannot tell the customers or I will get fired and sued. Contacting government agencies does nothing, and even sending a list of the priated software to the BSA accomplishes nothing.
Any idiot can setup a web site and take money. There is nothing to compel them to manage security or software licenses. Its a very sad state. Use cash and do not buy online.
Posted by FarmerChet (6 comments )
Reply Link Flag
Breaches occur often. Companies do not know
There are probably 2 to 3 more time the breaches than we are ever told about.
Most private companies are too worried about customers and revenue to put in proper security and to perform checks and audits of that security.
Of the three large employers with commerce-based web sites I have worked for, only one would know if there was a breach.
One company, an austin-based promo products company, has had many questionable problems and never tells the customers it has about the problems. The whole company is run on pirated software and every exec has known about the problems and the priating for over 5 years.
Yet they continue to generate millions in revenue every year and they have Banks and Hospitals as a customer!
As an employee I cannot tell the customers or I will get fired and sued. Contacting government agencies does nothing, and even sending a list of the priated software to the BSA accomplishes nothing.
Any idiot can setup a web site and take money. There is nothing to compel them to manage security or software licenses. Its a very sad state. Use cash and do not buy online.
Posted by FarmerChet (6 comments )
Reply Link Flag
Corporate Slackers
Corporate slackers, pay peanuts for computer security, that's what you get, wholesale theft of data held in any corporate computer!

But since in most corporations, we pay inflated salaries with similar large amounts of funds to their over inflated expense accounts(Jack's style) and share options, at the end of the day, there is no funds left in the kitty, for any form of data security!

Alas , you pay for what you get and get what you pay for! , but you can't get much security for peanuts!

Some choices in real life, can be very costly for some!
Posted by heystoopid (691 comments )
Reply Link Flag
Corporate Slackers
Corporate slackers, pay peanuts for computer security, that's what you get, wholesale theft of data held in any corporate computer!

But since in most corporations, we pay inflated salaries with similar large amounts of funds to their over inflated expense accounts(Jack's style) and share options, at the end of the day, there is no funds left in the kitty, for any form of data security!

Alas , you pay for what you get and get what you pay for! , but you can't get much security for peanuts!

Some choices in real life, can be very costly for some!
Posted by heystoopid (691 comments )
Reply Link Flag
freezing your credit doesn't work either
Knowing that I was going to take out a line of credit on my house in a month, I ran a little test. I notified the 3 major credit agencies that my identity may have been stolen, then waited until they confirmed in writing that my credit files had been appropriately flagged. Then I applied for the $100,000 line of credit against my house, and got it, and none of them contacted me about it. Where's the protection?
Posted by mikew12345 (2 comments )
Reply Link Flag
YOU'RE not protected...
THEY'RE protected. Protected from spending any money or effort to take care of anything.
Posted by ordaj (338 comments )
Link Flag
There is a difference between a freeze and a watch
only people in a few states can freeze an account right now I believe. Watches don't work that is for sure.

Did you freeze or just put on a watch?
Posted by drizzit (3 comments )
Link Flag
freezing your credit doesn't work either
Knowing that I was going to take out a line of credit on my house in a month, I ran a little test. I notified the 3 major credit agencies that my identity may have been stolen, then waited until they confirmed in writing that my credit files had been appropriately flagged. Then I applied for the $100,000 line of credit against my house, and got it, and none of them contacted me about it. Where's the protection?
Posted by mikew12345 (2 comments )
Reply Link Flag
YOU'RE not protected...
THEY'RE protected. Protected from spending any money or effort to take care of anything.
Posted by ordaj (338 comments )
Link Flag
There is a difference between a freeze and a watch
only people in a few states can freeze an account right now I believe. Watches don't work that is for sure.

Did you freeze or just put on a watch?
Posted by drizzit (3 comments )
Link Flag
What's the REAL Problem here?
Information is stolen all the time. Much of it hits the news.

But the problem as I see it here is that customer's PIN information is also stored online as well.

THAT INFORMATION FOLKS!!! is WHAT SHOULD NEVER BE STORED!!!

They claim they did every thing possible... but apparently that didn't include NOT storing the PIN number...

So if ya ask me... They DIDN'T do everything possible... either before (storing the PIN) OR afterwards (notifying their customer's of the breach).

Whether it's required by law or not is another issue!!! The common sense thing to do (laws or not) is to notify those whom are affected... which they didn't do!

So in my book... they're guilty on both accounts of NOT doing EVERYTHING possible in the PRE-BREACH as well as NOT doing EVERYTHING possible in the POST-BREACH!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
What's the REAL Problem here?
Information is stolen all the time. Much of it hits the news.

But the problem as I see it here is that customer's PIN information is also stored online as well.

THAT INFORMATION FOLKS!!! is WHAT SHOULD NEVER BE STORED!!!

They claim they did every thing possible... but apparently that didn't include NOT storing the PIN number...

So if ya ask me... They DIDN'T do everything possible... either before (storing the PIN) OR afterwards (notifying their customer's of the breach).

Whether it's required by law or not is another issue!!! The common sense thing to do (laws or not) is to notify those whom are affected... which they didn't do!

So in my book... they're guilty on both accounts of NOT doing EVERYTHING possible in the PRE-BREACH as well as NOT doing EVERYTHING possible in the POST-BREACH!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.