[Clips] Credit Data Firm Might Close

[Perry E. Metzger]

>  The head of a payment processing firm that was infiltrated by computer
>  hackers, exposing as many as 40 million credit card holders to possible
>  fraud, told Congress yesterday that his company is "facing imminent
>  extinction" because of its disclosure of the breach and industry's reaction
>  to it.

Seems reasonable to me...

>  "As a result of coming forward, we are being driven out of business," John
>  M. Perry, chief executive of CardSystems Solutions Inc., told a House
>  Financial Services Committee subcommittee considering data-protection
>  legislation. He said that if his firm is forced to shut down, other
>  financial companies will think twice about disclosing such attacks.

That implies that they had a choice about coming forward, and that
they heroically did so and are being punished for it. In fact, they
screwed up horribly, hid this screwup from auditors (or somehow passed
the audit anyway without the auditors discovering the screwup -- which
is unclear) and then were forced to come forward with the fact that
their screwup was exploited by bad guys. Other firms will not "Thing
twice about disclosing such attacks" because as a matter of law,
contract and fiduciary responsibility they had no choice. I doubt they
wanted to tell people what had happened -- they were forced to -- and
they should not get points for simply following their legal
obligations.

>  [he] called the decisions by Visa and American Express draconian and said
>  that unless Visa reconsiders, CardSystems would close and put 115 people
>  out of work. CardSystems handles only a small percentage of American
>  Express transactions, while Visa accounts for a large part of its business.

It seems to me that, without fear that failing to live up to their
fiduciary responsibilities will result in the destruction of their
livelihoods, there is no incentive for people to do the right
thing. Mr. John M. Perry should be happy that he is only losing his
job and likely the ability to get another one like it -- he could be
going to jail instead. If he and his employees had merely done their
job, as they were obligated to do by contract, nothing bad would have
happened to them. It is not "draconian" to be forced out of business
for revealing the confidential financial information of FOURTY MILLION
PEOPLE because you not only failed to secure your systems but also
deliberately disobeyed your contractual obligation not to store
cardholder data so that you could do data mining.

>  While [John M.] Perry said his company is doing everything it can
>  to ensure that such a breach never occurs again, Visa said it could
>  not overlook that CardSystems knowingly violated contractual
>  requirements for how long credit card data were supposed to be
>  stored and how they were secured.

Seems like a reasonable opinion on the part of Visa. I'm frankly
shocked that they are doing the right thing here -- I was expecting
they'd gloss over the whole thing. Good for them!

>  "The CardSystems incident is a spectacular failure" of private industry to
>  effectively secure personal data, Rep. Carolyn B. Maloney (D-N.Y.) said in
>  urging greater regulation. "We need to provide the legal structure to fix
>  it."

Hmm. Interesting. The Corporate Death Penalty -- the bad company being
driven out of business -- is apparently not enough. We need to pass
more laws so we can show we really mean it!


-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com