Page 53 - index
P. 53
In comparison, Target Corp. took four days to go from first suspicions to initial disclosure. In
the days immediately following its pre-Christmas announcement, Target stumbled and
struggled with everything from overwhelmed hotlines for incoming calls and glitches in its
credit monitoring sign up to its testimony before Congress.
While most corporations would choose the Michaels route of carefully crafting a response
plan down to the smallest detail to ensure smooth implementation, the truth is customers are
rarely served by such tactics. Even when law enforcement investigators ask a merchant to
hold off on public disclosure, they are not usually anticipating several months of delays.
For customers, such lengthy timeframes can create complex damages especially if the
payments were made with debit cards. Take the case of the Raley’s grocery chain breach
disclosed last June. Even when the banks promised to absorb the fraudulent charges,
shoppers suffered in other ways. One idRADAR customer spelled out how his life was
turned upside down when the hackers emptied his bank account.
“I was given a refund by the bank but only after two weeks, and being late on bills and
running out of money to put gas in my car, and then another week before I even had another
debit card to use. Shameful, the way they make it sound like it is no big deal!” wrote the
individual.
Customers who have the foresight to put comprehensive identity monitoring services in
place before a breach—daily checks of three credit bureau files, criminal court records, the
dark web a.k.a. Internet Black Market and other public records checks—are then in a far
better position to detect the theft of credit card numbers before their sale to criminals, protect
bank accounts and identify safeguards well in advance of companies like Michaels publicly
owning up to the problem.
Yet few individuals have this level of complete protection. For the average Michaels Stores,
Target or Raley’s shopper, speed in disclosure is essential for limiting damages.
Realistically, a two-week window should be ample for hacked companies to line up strong
responses provided their risk management plans and strategies are in place long before the
breach. Asking customers to wait any longer pushes the boundaries of reason. Delays are
even less acceptable when Social Security numbers have been compromised.
Not all companies will comply with such a timeline---some will still try to avoid any sort of
breach news dissemination--but the federal enforcement agency could levy fines for longer
delays that are judged to be unreasonable.
While all the details may not be clear in 14 days, a federal law should also require that
companies disclose the exact types of data lost and the total number of victims.
Recent reports in The Washington Post put the data breach at Harbor Freight Tools at close
to 200 million compromised cards, which if accurate could make it even larger that the
Target or Adobe Systems breaches. However, Harbor Freight has steadfastly refused to
disclose numbers.
How and when breaches are detected can no longer be governed by our current puzzle of
state laws. The strength or weakness of a state statute should not determine how much
53 Cyber Warnings E-Magazine – July 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
