This story appeared on Network World at

http://www.networkworld.com/columnists/2005/042505bradner.html

'Net Insider

Big problems and little horror stories

By Scott Bradner, Network World, 04/25/05

Scott Bradner

This is a story that won't go away for quite a while, is likely to get far worse before it gets much better. The few weeks since I last wrote about the rampant data protection problems that are facilitating widespread identity theft, things have gotten worse - mostly not because things have actually gotten worse but because we're finding out about incidents that were kept secret.

One story that perfectly illustrates the disregard that major companies have for the protection of the privacy and financial well being of the general public involves Polo Ralph Lauren Corporation. On U.S. tax day The Boston Globe broke the story that Polo Ralph Lauren Corporation last fall had had a computer break-in, but decided not to tell the people that they had put at risk about it. The only hint of the situation came out in the beginning of April when a bank (HSBC North America) notified 180,000 holders of a GM MasterCard that they should get a new card because their card number might have been compromised. MasterCard said it had been notified in January of the break-in but refused to say what merchant had the problem. Later, Visa said the same thing.

There is a long list of what is wrong with this picture: Polo Ralph Lauren decided to not protect its customers by telling them right away about the risk that the customers now faced because of the failure of Polo Ralph Lauren to properly protect the credit card information.

The credit card companies waited more than three months to tell their customers to watch their credit card statements. The credit card companies refused to tell the public who caused the problem so the public couldn't modify its shopping habits to avoid a merchant that puts its customers at risk.

So far it looks like Polo Ralph Lauren will not pay any penalty nor will it be responsible for helping to recover anyone whose card information was stolen. Other issues were brought up in a hearing that was held by the Senate Judiciary committee on April 13.

This hearing detailed many problems and little horror stories about the inability and, apparently, unwillingness of companies that know all about us to keep that information out of the hands of those who would do us ill. The immorality of companies such as Docusearch, which sold a killer information that lead him to his victim for $154, is only slightly clearer than the immorality of data brokers such as ChoicePoint and Lexis Nexis that have provided almost unfettered access to similar information for a few dollars.

Congress, and state legislators, might just pass some of the many bills now in front of them. Sadly, the best of these bills will only require data vendors to take a little bit better care of our data and to tell us when the data gets exposed - none even tries to deal with the fundamental immorality of the basic business.

Disclaimer: Harvard tries to teach morality and seems to succeed more often than not but the above opinion of immorality is mine not the university's.