(Edit: Originally posted 4/16/14 @ 7:45 PM Reposting because WordPress keeps dropping my posts o.O)
There is no federal legislation that requires organizations or individuals to notify victims of online data breaches. (Tucker 2014) Something I found pretty cool considering the frequency of data breaches of major companies lately. It varies state to state. So when Target or TJX or the next company to lose your personal information waits months to let the victims know that their personal financial information has been stolen there is very little legal recourse for the victims. Especially if the company resides in a state in which the laws are lax or non existent.
This is definitely a case of technology outpacing legislation.
I don’t believe ANY digital security failure should require release to the public. If every site that found an insignificant breach released that information to the public we would be totally inundated by the information that when we actually needed to pay attention and take action the public would be too complacent. On the other hand though we should have a right to know whenever our ‘private’ information has been accessed. Mat Honan of Wired was social engineered out of a twitter account by someone else accessing his personal information and posing as the account holder. His apple and gmail accounts were just collateral damage. Luckily the hackers were just in it for his twitter account, had they wanted to cause serious damage they could have with all of the accounts they got access to. It wasn’t even from Apple that Honan found out his account was accessed by someone else, he was notified by one of the hackers. (Honan 2014) If the policy was to verify or notify whenever private information was accessed there may have been a chance to stop all or part of this hack.
It doesn’t make me that much more wary to shop online knowing how at any point our data could be accessed by a third party and there is no rush by the party that was breached to let me know about it. I was already wary of corporate online security so I don’t shop online much as it is and I certainly don’t bank or send financially sensitive information to my email(s). I use a third party site rather than give online retailers my credit card number, but heartbleed may have affected that site as well.
I wouldn’t say I am more or less likely to shop online. Definitely less likely to bank online. I am also one of the people that doesn’t tie all of their accounts to each other and then use the same password.
Honan, Mat. 2012. Wired. “How Apple and Amazon Security Flaws Led to My Epic Hacking.”
Retrieved from http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/
Tucker, Eric. 2014. Associated Press. “No Consensus on How to notify Data Breach Victims.”
Retrieved from http://www.nwitimes.com/business/local/no-consensus-on-how-to-notify-data-breach-victims/article_83f5e298-6443-5a2e-a06b-0eb22b4b9714.html