A couple of months ago I bought a pair of sneakers that now may cost me a king's ransom. I made the $40 purchase at one of the 108 Discount Shoe Warehouse [DSW] stores compromised by database thieves who stole three months' worth of credit card transactions.
My first thought when I heard the news this week: Not again.
This will be the third time in two years that I've had to contact credit agencies and issue a fraud alert. The last freeze, far I as know, is still in effect if recent difficulties getting a new cell phone plan is any indication.
In case you missed it, the national discount shoe chain on Monday announced it now believes "external" hackers swiped the data on 1.4 million credit card transactions and another 96,000
I'm sure people are crediting California's breach notification act for this latest disclosure, much as they did when data brokers ChoicePoint and LexisNexis were forced to come clean. This praise is worthy only if DSW announced the breaches in a truly timely manner. According to a company statement, within 24 hours of finding the theft, the company called federal authorities, hired a computer forensics company and notified cardholder associations. It then says it also "promptly issued" a customer alert posted on its Web site. The news media took over from there.
Once again, private companies with deep pockets and fuzzy math have the press to do their dirty work.
The biggest loophole in California's SB 1386, and from the looks of it all the legislation being made in its image, is the huge lag time between when companies find a breach and when they must let victims in on it. During the lapse, designed to allow law enforcement time to investigate, unwitting individuals are at risk of identity theft and fraud. I'm not against investigators getting a lead on catching culprits, but the notification window needs to be narrowed.
I used to moonlight as a college professor and a year ago my employer publicly announced a server holding financial information on students, staff and faculty had been compromised. The attack took place in October 2003; the press announcement was issued the following March -- during spring break, when campus was closed.
For the 10 people who caught the newscast, the school said it would be notifying impacted individuals, which in my case
I think we're nearing a tipping point. The rash of widely publicized data thefts in the past few months is creating mounting consumer pressure that I hope finally closes clauses in data theft disclosure laws that still benefit big business. And by all means, let's keep the news media in the loop. Until change arrives, we'll still rely almost exclusively on diligent journalists, and not compromised companies, to help us decided how to handle the latest data thefts. That means altering the way and with whom we do business -- if criminals haven't already done it for us.