After a Security Breach, Should Companies Be Forced to Wear a Scarlet Letter?

Ralph DeFrangesco

After working in IT for over 24 years, writing about companies that have been hacked and people that have had account information stolen, I have never been personally affected by any of it, until now. Wyndham Hotels has been in the news recently because it was the victim of a computer break-in late last summer. It took eight weeks for Wyndham to report the break-in to authorities -- it claims it need the time to match payment account data with contact information. Customers that were affected by the breach were not notified until December 2008. Wyndham reported that approximately 21,000 accounts were affected.

 

I have stayed at Wyndham Hotels several times over the past few years. Fortunately, I have not been notified yet that my account has been affected, but how could it not have been? I monitor my credit card activity on a monthly basis and have not noticed anything unusual, but that does not mean that my account hasn't been jacked. The State Attorney General of Florida recommends that anyone affected by the breach monitor his or her credit reports on a regular basis for unusual activity.

 

I am a little angry with Wyndham Hotels for taking so long to notify customers that they were affected by this incident. Wyndham did recognize the incident in an open letter, dated February 2009, that was buried on one of its Web sites. I never would have found it if I didn't stumble onto it from a link off the State Attorney General of Florida's site. What a shame that this kind of information is allowed to be hidden on the site.

 

Carl Weinschenk has written about the potential of some sort of criminal liability for those whose carelessness allows these breaches to occur. The idea hasn't progressed very far. I have another idea for after-the-fact action that may turn out to be the kind of incentive companies seem to need to keep their data secure. I think that any company that has been hacked, as a penalty, must state on the homepage of its Web site that it was breached - an electronic scarlet letter, in effect. I bet that we see fewer companies being hacked. What do you think?



Add Comment      Leave a comment on this blog post
Mar 6, 2009 4:51 AM JohnL JohnL  says:

I think notification should be mandatory within a certain timeframe.  1 to 2 weeks should be sufficient, but not more than 4.  I want to give them time to investigate so you don't end up with letters along the lines of:

"Dear Every Account Holder, we believe we may have been hacked but we're not sure yet.  And even then, we don't know what happened or if your information was compromised, but please panic just in case." 

Consumer confidence in said corporations would fall through the floor, and many times this would be unwarranted.

I do think companies have a responsibility to make it well known, however.  Mailings to affected clients should be mandatory and prompt.  An advertisement on a logon page of a website should be mandatory.  Monster recently did just that - they were compromised, they advertised a link to a full disclosure on their page, and they said "even though only a small percentage of our customer base may have been affected, we don't believe personal information (like phone numbers and addresses) were stolen, only resumes.  Even so, change your password."  They should take pride in their forthcoming.

If there's any risk of credit damage, I think affected corporations should be mandated to provide one year's worth of credit monitoring for the impacted client base.  This seems only fair to the end clients.

And then there's the difficulty about non-client impacting data.  Say Pepsi has it's network cracked, and the 'secret recipe' is stolen.  There's no indication that any protected personal information was stolen, just proprietary manufacturing data.  Should they be required to disclose this?  If so, why?  Who's problem is it, really?  If the secret recipe is then used in a competing brand, they'd have the right to sue for espionage, but why notify their distribution network, or purchasers at the grocery store that their network was hacked and corporate proprietary information was stolen?  I don't see the necessity there. 

You also mention criminal liability for carelessness.  If someone puts a sql server with my name, address, SSN, and CC number in the database attached to the internet and leaves an admin password of "qwerty123", then yes.  This could be considered criminally negligent.  If, however, all best efforts were taken to prevent intrusion or compromise, such as firewalls, data encryption/protection, complex passwords, etc, then we cannot pin all the blame on the corporation or administrators for a compromise.  Hackers/crackers can and will take months or even years to find a weak spot in a network, and no active production network is 100% secure, period.  Hold the data thief criminally liable, not the company that made every effort to protect its consumers.

I'm absolutely interested in differing or agreeing viewpoints. 

Rgds,

JohnL

An IT Admin's $0.02.  Obviously milage may vary.  No warranty is expressed or implied with this product.  Heads may explode with its use.  This data is proprietary and confidential and should be destroyed if read by anyone, ever.  Don't try this at home.  Be kind, rewind. 

 

Reply
Mar 8, 2009 8:43 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to JohnL

John,

What a great post, you are way too funny. I like your points. I think we are on to something here. If we think this way, I am sure that there are a lot more poeple that feel the same way. So, if we tell two people and they tell two people about this, then that's at least twenty people. Please keep the comments coming!

-Ralph

Reply
Mar 11, 2009 3:34 AM Hank Hank  says: in response to Ralph DeFrangesco

I guess I take a different view since I have been burned! Make them wear the scarlet letter, publish them in the newspaper, radio, TV, whatever. When you go to a site and enter data, you expect that it will be protected. If they don't protect it, then they should pay. Like you said, I bet you see fewer sites being broken in to.

Hank

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.