Archive for May, 2008

Security breach disclosure practice

Posted on May 15, 2008, under general.

For a long time now, we at Digital Rights Ireland have been campaigning for a law which would oblige companies who store our data to inform us of the details of any security breaches.

This is a hot-topic, with recent disclosures from the Bank of Ireland, and the Irish Blood Transfusion Service, of just this nature. Today I received a letter in the post from Adobe, informing me that some details I uploaded to their website may have been similarly subject to compromise.

As part of the process for making a student-discount purchase with Adobe, I was asked to upload a scan or photograph of my student card – which I was happy to do – and it appears that those images may have been available for others to view. According to the letter, this process may have been used for credit card details in some cases.

In the absence of a law obliging them to so, Adobe, BoI and the IBTS are actually to be commended for telling us about these breaches of security. Of course the notifications may be driven by an increasing consensus that not to do so would be a true negligence, as the real-world ramifications and triviality of identify theft is increasingly apparent, but it is welcome nonetheless. It is better at least to know that it has happened.

When the Bank of Ireland revealed its problems with laptop theft, it was big news, and widely discussed; ordinary consumers expressed fears, the data protection commissioner made recommendations and our collective security has improved since. Already, the adverse commercial effects of these notifications are spurring other businesses to review and audit their own practices. This can’t be but a good thing.

But despite these voluntary notifications, and the emerging consensus of their necessity, there are similar events like this every week that go unreported. Maybe the new minister for Justice, Dermot Ahern, with relevant experience from the Dept. of Communications, can remedy this situation. In the meantime, I think we’re actually better off with the companies who do tell us about these problems, at least they are proving a track record that the customer should matter.