Papas Fritas writes:
"Michael Kitchen at Marketwatch reports that when companies in the US are hacked for customer information they often seem to react to such thefts with little more than a sigh and a shrug if they even report it at all. But in South Korea, they don't mess around with ID theft.
South Korea's financial-services regulator announced Sunday that three firms which suffered the theft of consumers' data last year would be barred from issuing any new credit cards or extending any loans for three months. In addition, the executives at the companies involved showed their contrition by going before television cameras and making deep bows and personal apologies. Some executives reportedly resigned over the incident, even though the alleged ID thieves were caught and arrested. The South Korean Financial Supervisory Commission (FSC) said the companies had 'neglected their legal duties of preventing any leakage of customer information.'"
(Score: 3, Insightful) by girlwhowaspluggedout on Tuesday February 18 2014, @02:30PM
Well, should we punish every retailer that suffers a data breach?
I'd say that your question touches on the crux of the data theft problem, i.e. where does incompetence end and negligence begin? Should we hold a retailer responsible for using badly designed software? What about placing the POS systems on the same network it stores its customers' credit card records?
And how up to date must its systems be? What should it do when a 0-day exploit is published, without a patch or known workaround?
Soylent is the best disinfectant.
(Score: 4, Interesting) by SpallsHurgenson on Tuesday February 18 2014, @03:30PM
Alternately, the credit-card companies could properly enforce their own PCI compliance rules. According to those, if you are in violation then yes, they CAN forbid you from accepting credit cards from customers until you show evidence that you have fixed the violation. I've seen it happen to smaller companies for far less serious breaches than what happened at Target. That the credit-card companies did not do so with Target has more to do with their fear of losing their income from all those Target sales than it did with not pronouncing a "death sentence" on the retailer.
Of course, that sort of threat is the only thing that will incentivize retailers to take credit-card security seriously. Without it, companies are always going to go cheap and easy, because any bad effects will affect only the customer, not the retailers themselves. But if suddenly a breach of credit-card data could put them at risk of becoming unprofitable, you can bet that more stringent methods will be put into place to ensure that nobody can walk out the door with a thumb-drive full of customer data.
And while I am no fan of excessive government regulation... if the retailers won't do it, and the credit-issuers won't do it, and the customer can't do it, what other option is there but for there to be a law to ensure it gets done?
(Score: 1) by Angry Jesus on Tuesday February 18 2014, @05:41PM
Well, should we punish every retailer that suffers a data breach?
Maybe we need more creative forms of punishment rather than worry about the exact details of the incident.
I'm thinking "Scarlet Letter." Lose control of customer data, now you have to post a banner across the front of your store as large as the sign with the name of the store that tells customers what happened in a simple, standardized way.
California does something like that with respect to restaurant inspections - a letter grade must be posted in the front window that shows what score the place got on the last inspection. Anyone who doesn't have an "A" posted puts their business at serious disadvantage.
(Score: 1) by girlwhowaspluggedout on Tuesday February 18 2014, @08:43PM
I tend to agree. The ideal free market ("perfect competition") requires, among other things, access to information. In this view, then, truly informed purchasing decisions depend on the ability of the consumer to learn about the past failures of businesses in guarding customer data. That doesn't mean, of course, that it has to take the form of government regulation, since it is just as feasible for companies or watchdog groups to provide such Scarlet Letter data.
Soylent is the best disinfectant.