This came up in ATMB–when, when trying to analyze The Great Google Block they shut the ads down (where the culprits likely entered) and then opened them up again so they could track the malware flow. Not only did this cause some comment, as they say, but it was more worrisome that it was mentioned in an aside.
But this isn’t that for that forum (although maybe it should be).
Now I’m more concerned/pissed off about the issue because Ebay was hacked, and they keep a shitload of more information on things relating to finances.
I just got a letter from them: we were hacked, change your password, etc. I killed the email already, so I don’t have the dates, but in it–but even then not on the site once you’ve signed in–it said the hack was discovered several months ago. Well, thanks a lot EBay.
So, back to subject hed:
Are their any laws that require them to tell us things like that?
1a) There must be lawsuits out there in which this figured. Right?
1b) If so, is it a Better Business Bureau type thing? I don’t even know what the/a BBB is, as to Federal, a State, or City enactment, so help me out here if it is pertinent.
Is it too new a problem that Congress hasn’t gotten around to deal with it (interstate commerce, I’m guessing)? Or more local jurisdictions?
Easy analogy: a bank gets robbed, I should think they have to tell you within a certain time frame. Similar laws must be around for all types of corporations, private and public (eg HIPPA), yes?
Leo
I would say that a business has a duty to notify any customer affected in some meaningful way. A bank robbery would be pretty much irrelevant unless safe deposit boxes were involved. Any money taken from tills would be covered by insurance and you would lose nothing, therefore no obligation to notify you.
To make clear, although my OP is fine as it stands, I’m also asking about any requirements for a website or corporate entity to inform its clients within a certain timeframe.
In the US, 47 states have enacted security breach notification laws which require notification to clients if their private information has been compromised. Of course the details of exactly what is covered, timing, etc. will differ from state to state.
Thank you very much. IAMNAL, and am digesting this now.
Don’t know where EBay is located. First checked SD, since I know Illinois, and I think it had law pertaining only to Illinois residents affected. The NY one does not limit the location of those whose data were released.
Some points that may or may not apply to the Ebay case:
“Security breach” can mean any number of things, many of which don’t involve compromising private information.
It can indeed take months from initially discovering a breach, to determining exactly what was compromised and making sure the vulnerabilities are all closed.
Often it’s impossible to be sure exactly what the bad guys got to, and notifications are made on the basis of “we can’t rule out the possibility that user accounts were accessed, therefore we’re obliged to act as though they were”.
Law enforcement agencies sometimes ask for announcements to be delayed.
The rules now are mainly for healthcare and financial and government. Nothing on general commerce, really. There is an act that was revitalized after Target to make it so that all breaches would be reported (as soon as I remember/find it I’ll post it).