Credit card companies a few years ago were dealing with the problem of stolen credit cards and expiry dates. If you have a bunch of these and an Internet connection you can get a lot of things and do a lot of damage. Attempting to mitigate this problem, credit card companies came out with the idea of a CVC (Card Verification Check) number on the back of the card. The idea being that if you are not swiping the card, you would have to give this number as well in order for the transaction to proceed. This would prove that you physically have the card in your possession. But the key to this working is that no one ever stores the CVC. You enter the CVC during the transaction, it is transmitted for verification and it is NOT stored. Of course you are relying on businesses to not store this number. Nothing to stop them from actually doing it. This is what happened at Geeks.com. Geeks.com sent a letter to their affected customers basically stating they are sorry for the breech, but it is now the customers problem to deal with. Does anyone see a problem with this? A business fails in its security measures that they decided on to protect customer data and it is now the customers problem.
The answer here to me is obvious. Businesses can not be trusted to do the right thing. They can be trusted to do what makes the most financial sense and they always will take this path. We have seen this time and time again and there are way too many examples to list. People like Bruce Schneier have commented on this over and over again for years. Loren Weinstein has an excellent example of this.
The answer to this is easy. Put the burden on the companies, financial institutions and anyone that stores third party financial information. I’m not a lawyer and this would have to be legally worded but the something like this:
“If for any reason you in anyway use or store for any period of time third party financial or personal information for any purpose, you are completely and totally responsible for any breech of this information directly or indirectly for as long as you in anyway have possession of the data. You are legally and financially responsible for any misuse resulting from the breech of this information.”
We need to make it the businesses problem. I think this is fair. The businesses decide their security measures. The businesses decide how to protect the data. The businesses decide what level of competent experts to hire to design, monitor, and secure their systems. As a consumer, I have no say or control in these matters. I am forced to trust them. Trust that they are secure. Trust that they are competent. When that trust that has been imposed on me is breeched they should be responsible. If the businesses are financially and legally responsible they will fix the problem. Business will fix the problem because as we have historically seen over and over again they do this by nature. They do what makes the most financial sense for them. By making them legally and financially responsible it becomes in their best interest to do what makes the most financial sense for them, protect customer data.
The only right thing geeks.com did here was to contact law enforcement.
