Theres a lot of work still to be done in defining the rules of stewardship for digital identities. We agree with the San Francisco Superior Court that it is not the duty of Visa U.S.A. and MasterCard International to warn credit-card customers that their personal information may have been breached by third-party negligence; wed argue, though, that this is the beginning rather than the end of the discussion of who owes what duty to whom.
At issue was the compromise of the data of more than 40 million cardholders, with records of about 200,000 cards thought to have been lifted from payment processor CardSystems network. Disclosures are mandated by the California Security Breach Information Act, which requires companies that are based in California or that have customers in California to notify the customers whenever their unencrypted personal information is lost, stolen or breached. Visa and MasterCard maintain that the banks that issue credit cards have the responsibility of customer notification because they have direct relationships with the affected customers. Visa and MasterCard may not have been at fault for the breach at CardSystems, but their reputations nonetheless suffered by association with the incident.
The bigger issue, however, is how to handle identities in the first place. As states begin to follow Californias lead and pass their own acts involving personal-information security breaches, regulators and legislators need to be just as aware of the issue of who holds the title to information as they are of the questions of who holds the title to a car or to a home—and what steps need to be taken to protect consumers when their identities have been breached.
There are a few things wed like to see implemented from the outset. For one, we encourage enterprises to decide with caution what theyll do in-house and what theyll hire others to do when it comes to holding and managing confidential information and transactional records. In the same vein, supply chain partners need to negotiate explicitly and follow up responsibly on agreements concerning data handling, use, retention and even disposal.
No matter what lawmakers decide or how enterprises claim they will protect consumer information, individuals need to take steps to protect themselves as well. Consumers should take common-sense steps such as holding multiple credit cards from multiple banks so that they can cancel one providers cards if needed without disrupting use of the others.
Were glad to see Microsoft working on the development of its federated identity management system, “InfoCard,” with Firefox and Opera browser developers, The Apache Software Foundation and Apple Computer. But the fruits of that labor will come in the future.
There is no question that consumers have the right to be fully informed of the status of their personal and financial information—from that imperative there is no escape. It will take years and some patience, but the efforts of lawmakers, businesses and consumers must work toward making that right a real fact of day-to-day e-commerce.
Tell us what you think at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.