The following text is copyright 2005 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Big problems and little horror stories
By Scott Bradner
This is a story that will not go away for quite a while and is likely to get far worse before it gets much better. The few weeks since I last wrote about the rampant data protection problems that are facilitating wide spread identity theft (Privacy: A personal touch http://www.nwfusion.com/columnists/2005/030705bradner.html) things have gotten worse -- mostly not because things have actually gotten worse but because we are now finding out about incidents that had been kept secret.
One story that perfectly illustrates the disregard that the major companies have for the protection of the privacy and financial well being of the general public involves Polo Ralph Lauren Corporation. On US tax day the Boston Globe broke the story that Polo Ralph Lauren Corporation had had a computer breakin of some kind (no details provided of course) last fall but had decided to not tell the people that they had put at risk about it. The only hint of the situation came out in the beginning of April when a bank (HSBC North America) began notifying 180,000 holders of GM Master Cards that they should get a new card because their card number might have been compromised. Master Card said that they had been notified in January of the breakin but refused to say what merchant had the problem. Later Visa said the same thing.
There is a long list of what is wrong with this picture.
o Polo Ralph Lauren decided to not protect its customers by telling them right away about the risk that the customers now faced because of the failure of Polo Ralph Lauren to properly protect the credit card information.
o If the Globe is correct, Polo Ralph Lauren did not even tell the credit card companies until long after the breakin.
o The credit card companies waited more than 3 months to start telling their customers to watch their credit card statements.
o The credit card companies refused to tell the public who caused the problem so the public could not modify their shopping habits to avoid a merchant that puts their customers at risk then does not tell them.
o Only one bank has started notifying their card holders of the problem - I find it hard to believe that Polo Ralph Lauren only accepted GM Master Cards, where are the other issuers of credit cards?
o So far it looks like Polo Ralph Lauren will not suffer any penalty nor will they be responsible for helping anyone who got their card information stolen recover.
This was only one of a long list of issues that have come to light since my last column. Some were brought up in a hearing that was held by the Senate Judiciary committee on April 13. This hearing detailed many big problems and little horror stories about the inability and, apparently, unwillingness of those companies that know all about us to keep that information out of the hands of those who would do us ill. The immorality of companies like Docusearch, who sold a killer information on how to find his victim for $154, is only slightly clearer than the immorality of data brokers such as ChoicePoint and Lexis Nexis who have provided almost unfettered access to similar information for a few dollars.
Congress, and state legislators, just may pass some of the many bills now in front of them. Sadly the best of these bills will only require the data vendors to take a little bit better care of our data and to tell us when the data gets unduly exposed -- none of them even tries to deal with the fundamental immorality of the basic business.
disclaimer: Harvard tries to teach morality (see for example http://www.hbs.edu/mba/academics/coursecatalog/1562sucher.html) and seems to succeed more often than not but the above opinion of immorality is mine not the university's.