Ugh. Have you all seen this? Usually, I'd say that there is no shame for a FS company to report under CA SB1386 - I say this because I think that the difference between the firms that are reporting and the ones that aren't are the degree to which the security folks know the systems and processes in use by the business (meaning that everyone should report, but some don't because they are clue-free enough to assume that they've got it all under control.") Seriously; describe to me the difference between a burgler walking off with desktop machines (by precident an incident requiring disclosure) and one or more brokers/advisors/etc using their insecure, unprotected, directly-connected-to-the-internet, and riddled with spyware home machine to store their client lists. Seems to me like it's the same thing, but what do I know?
Anyway, I guess my point is that I think these CSO's (particularly one very astute Bostonian who I respect very highly) didn't say the most important thing; that in the end the business will do what the business does - sometimes you'll know about it and sometimes you won't. Be it storing the addresses on tape and losing them (if you're a bank) or making the decision to release patches quarterly if you're a vendor (although I think we're safe for the time being from a vendor doing something *that* obviously unsafe - heh,) businesses need to do what enhances profitability.
Anyway, usually I would agree with that, but in this case BOA really needs to get their name out of the press; between the 1.2 million addresses and the poor guy who lost all that money from fraud and BOA won't give it back, they need to do something. Seems like paying that guy his 90k would have cost them less, right? Oh well, you live and you learn.
Posted by Ed at March 2, 2005 11:40 AM