A recent article from Computerworld reports that online broker TD Ameritrade may have been warned about a security breach a year or more before it publicy acknowledged the problem and warned those customers who might be affected.
While the parties and the courts will no doubt sort out the fault, this situation begs a question. Just when should a company inform customers, business partners and others with whom it does business that a security breach has occurred?
My knee-jerk response is to say that as soon as a company knows a breach has occurred, it has a moral and ethical obligation to inform anyone who may be affected. But what if the company just suspects that some hanky-panky is going on? What if some customers, as in the TD case, are reporting getting spam e-mails, but the phenomenon is not widespread?
Spam is a fact of life for everyone who logs on to the Internet. We may filter it, block addresses, and even block entire domains, but the plain fact is that spammers have ingenious ways to get around our defenses and--driven by fat profits--they have a powerful incentive to stay ahead of us mortal users in the security race.
Unless there can be a definite link established between a protected database and what is contained in a spam message, I would be hard pressed to say that the mere fact of receiving, as in this case, finance-related spam is enough to break the glass and pull out the fire axe.
On the other hand, all financial enterprises--including insurance enterprises--must be highly vigilant, especially when someone complains about spam that relates to our products or that contains personal information about the complaintant. If you smell a rat, you would be well-advised to break out the rat poison and set some traps. If there is a breach, and if lawsuits follow that breach, insurers, brokers and agents need to show that they have been thoroughly responsible in attempting to root out and solve the problem--and in warning anyone who may be affected by the breach.
Certainly, it is difficult for any company to admit that its defenses have been compromised. It is probably for this reason, more than any other, that companies wait to share the bad news. Increasingly, however, lack of alacrity in reporting problems and warning customers will be a legal problem for financial companies, who will be accused of not acting responsibly.
My "guru senses" tell me that we are likely to see many related lawsuits as online security breaches continue to increase. Cyberspace is truly the organized crime environment of the 21st Century.
What's your view? When does a company blow the whistle on itself--and when should it wait for further developments? Post your thoughts here!
Comments (1)
While it's important to contact consumers that may have been affected, it's more important to contact law enforcement first (FBI, local police, etc.). States may have additional requirements about reporting to one of their offices as well. After determining that notifying consumers will not impede any investigation, they should definitely be contacted ASAP.
Posted by Rachel | September 19, 2007 2:00 PM
Posted on September 19, 2007 14:00