The AP is reporting that the online-retail store Montgomery Ward was breached back in December with between 51,000 to 200,000 credit card numbers, expiration dates, and CVV2 numbers. Details of the breach aren't widely known and it wasn't reported whether Direct Marketing Services [DMS], the company that purchased the Montgomery Ward name out of bankruptcy, was PCI DSS compliant. None of that information is that troubling to me however. Breaches happen. We learn from them (hopefully) and move on. What irks me about this one is that DMS didn't notify their customers after the breach occurred. Since the penalties for non-disclosure are far less (non-existent in some cases) than the costs associated with replacing credit cards and monitoring up to 200,000 credit reports DMS did what companies do best: Act in their own self-interest, watch the bottom line, and hope nobody finds out.
Obviously there is no easy solution to this problem. DMS followed guidelines and notified banks of the breach. However, it is not mandated that the bank notify a customer that their information was potentially compromised. Disclosure is left up to the merchant that was originally hit and will ultimately pay for any and all costs associated with replacement of cards and monitoring of accounts.
Unfortunately, this is a case where the private market will not lead to an efficient outcome. Legislation is needed in order to hold companies accountable for the non-disclosure of private and financial information breaches. We will see proper disclosure of breaches when we start walking CIO's and CEO's out of headquarters in handcuffs and making the fines high enough to make full disclosure seem like a bargain. I hope companies start doing the right thing by their customers but I, for one, will hold my breath.
No comments:
Post a Comment