After a Security Breach, Should Companies Be Forced to Wear a Scarlet Letter?


After working in IT for over 24 years, writing about companies that have been hacked and people that have had account information stolen, I have never been personally affected by any of it, until now. Wyndham Hotels has been in the news recently because it was the victim of a computer break-in late last summer. It took eight weeks for Wyndham to report the break-in to authorities -- it claims it need the time to match payment account data with contact information. Customers that were affected by the breach were not notified until December 2008. Wyndham reported that approximately 21,000 accounts were affected.


I have stayed at Wyndham Hotels several times over the past few years. Fortunately, I have not been notified yet that my account has been affected, but how could it not have been? I monitor my credit card activity on a monthly basis and have not noticed anything unusual, but that does not mean that my account hasn't been jacked. The State Attorney General of Florida recommends that anyone affected by the breach monitor his or her credit reports on a regular basis for unusual activity.


I am a little angry with Wyndham Hotels for taking so long to notify customers that they were affected by this incident. Wyndham did recognize the incident in an open letter, dated February 2009, that was buried on one of its Web sites. I never would have found it if I didn't stumble onto it from a link off the State Attorney General of Florida's site. What a shame that this kind of information is allowed to be hidden on the site.


Carl Weinschenk has written about the potential of some sort of criminal liability for those whose carelessness allows these breaches to occur. The idea hasn't progressed very far. I have another idea for after-the-fact action that may turn out to be the kind of incentive companies seem to need to keep their data secure. I think that any company that has been hacked, as a penalty, must state on the homepage of its Web site that it was breached - an electronic scarlet letter, in effect. I bet that we see fewer companies being hacked. What do you think?