Rossander’s Security Reader

In general, I think that the new breach disclosure laws are good for society. The one risk that I worried about but that all the consumer advocacy groups poo-pooed was the threat of frivolous lawsuits over good-faith attempts to comply with the disclosure laws.

I don’t know if that’s the case in the Heartland breach yet, but I’m worried about it. For those of you who haven’t been following the case, Heartland Payment Systems is a transaction processor for debit and credit card transactions, handling about 100 million transactions per month. On 20 January 2009, they disclosed that their systems had been compromised in 2008 by hackers using “sniffer malware” to capture numbers as they went through the processing platform. No SSNs or PINs were exposed but customer names and card numbers were. According to their release, Heartland’s security team started working on the incident in “late 2008“.

One week after making their announcement, Chimicles & Tilellis LLP filed a class action lawsuit asserting that Heartland “made unreasonably belated and inaccurate statements concerning the breach.” The complaint also says Heartland does not appear to be offering any credit monitoring services or other relief to consumers affected by the breach.

For a major incident involving the compromise of a core system, due diligence (and the law) requires an intense and detailed investigation. If they’re smart, Heartland also brought in several layers of law enforcement, each of whom would want more information and their own time to investigate. We don’t have the full details yet but based on what we do know so far, a disclosure in January seems pretty prompt to me.

As to the offer of credit monitoring service, I haven’t seen anything that would indicate that it’s justified. Compromised credit card numbers can’t be used to create new credit accounts or commit identity theft. The thieves could make charges on the cards, but 1) the accounts have been shut down so no further damage can be done and 2) even for the fraud committed so far, the victims’ liability is capped at $50 (and probably won’t even be that high in this case). Credit monitoring won’t provide any protection in this case.

Note that there’s nothing in the suit about whether the company properly protected the customers’ information. Clearly, they should have done something differently but that’s not what these lawyers chose to address. Nor are they talking about real damage or losses to the consumers. They’re arguing only about technical compliance with the breach notification laws.

Even if the company wins the suit, fear of similar suits will increase costs (which are inevitably passed along to customers) and may create a perverse incentive by future companies to cover up the breach rather than risk being sued after a disclosure. If left unchecked, that abuse will erode and quickly outweigh the societal good that comes from the breach disclosure laws.