SuzanneWidup.com

Recently, I was presenting a work in progress report on the data breach study I've been working on for about two years.  Data loss is an area that I'm interested in, and I had an opportunity to talk to several people during the SecureWorld Expo conference about it.  One conversation got me thinking. 

I was talking with a panelist (let's call him John) after the event had completed about data breach, and he related an experience he'd had.  John indicated that his bank replaced his credit card due to one of the larger card breaches recently.  Once he completed the activation IVR process, he was told he would be transferred to a live operator.  The person on the phone proceeded to try and sell him a monthly credit monitoring service.  John asked if it was required to activate the card, and the person told him his card was activated, and it was not.  He chose not to take the service.

John then related the scenario to both his wife and his mother, and they both thought he should have taken the service--they would have.  Since John works in the Information Security field, he is somewhat immune to the sales tactics that capitalize on the fears consumers hold about card fraud and identity theft.  His wife and mother have no such defenses.

This is an example of a company using the public's fear of someone stealing our credit cards--when people are at their most vulnerable because the event has occurred--to sell products.  Granted, they do this all the time in the flyers they stuff into our monthly bills advertising their service, but this is different.  This is a case where the company has an obligation to protect the data, and is using the failure of that duty as an up-sell opportunity.  Since they have access to their customer base at this vulnerable time, they have a unique opportunity to increase sales of this product when the customer's emotions are at their peak, having just found out their card was compromised.

While I personally do not know the details of the breach that caused the re-issue of the card, and the bank in question may have been powerless to prevent the breach, it still seems to be skating that grey area between ethical and unethical business practices.

On the flipside, I also had an opportunity to hear the Heartland CIO, Steve Elefant, speak on Realizing End-to-End Encryption in the Payment Industry.  He indicated that Heartland will be marketing their own pin pad device that is reputed to have solved some of the problems that the current offerings suffer from--such as vulnerability to physical attack and weak encryption.  I have not evaluated the devices, and in no way is this an endorsement of the product, but I do think this is a good example of an ethical way to react to a data breach event.  Heartland is offering a product for sale that solves some of the existing problems which may lead to data breach, and it is not leveraging the event to prey on the fears of the victims.