GamePlan

Big news from Visa? Not so much.

Interesting article on how Visa is trying to encourage vendors to adopt chip and pin technology. The carrot here is a loosening of  PCI DSS requirements for vendors who invest in technology for reading chip and pin cards,There are flaws to this approach.

1. If you build it they won’t come. The regional financial institutions have far more to do with whether clients are using chip and pin cards than the merchants do. Merchants will not upgrade their technology if their clients don’t have chip and pin cards, and may not even have the option to do so if the vendors of their payment systems are not currently providing the option.

2. Benefit value not tangible for small and midsized vendorsPCI DSS requirements are barely enforced for smaller scale vendors who will not likely see loosening of requirements as a benefit. According to the article, 75% of the transactions must go through chip & PIN cards. This means the investment in technology will not guarantee a loosening of PCI DSS requirements.

3. Benefit value doesn’t address the most expensive part of compliance for larger  non-compliant vendors.The most difficult aspects of PCI DSS compliance are not the annual ones, but the one time changes involving capital investments in technology or significant development projects to restructure applications that have vulnerabilities or otherwise store payment card data. Even one time documentation of controls, development of policies etc are not waived here. Once you’ve done all the work once the annual compliance requirements are far less onerous. So, thanks but no thanks.

4. Why Loosen Standards as a reward. The fourth flaw with this approach is really the most glaring flaw. Chip & PIN technology is a step in the right direction but it’s not a panacea for credit card fraud. So why loosen standards? Isn’t this counter-active to the reason chip and PIN cards are used in the first place? PCI DSS is a good standard, and a good practice for merchants to follow regardless of whether the bank is auditing or not. Waving the requirements (which are already loosely enforced) is a dumb way to reward merchants.

Here’s the full article.

“Effective Oct. 1, 2012, Visa is eliminating the requirement for US merchants to annually validate their compliance with the PCI Data Security Standard (PCI DSS) if 75% of the merchant’s annual Visa transactions originate from chip-enabled terminals.”

I’m not going to say i predicted it here because I’m sure the act was well on it’s way to congress when I wrote that Sony’s testimony to congress would result in federal level privacy legislation.  A few days after i posted it - the act received a name SAFE Data, and soon enough copies were made available online. The goal of the act is  to hold organizations accountable for reporting data breaches which impact personally identifiable information. While a rash of significant breaches did help speed things along  the SAFE Data act has likely been in the works for some time.

There are many positive changes expected as a result of this act which in all likelihood will be passed given the current climate surrounding cyber crime and terrorism. Highlights include:

·         Federal level requirements for securing private data. The most compelling change given that privacy legislation is most common at the state level thereby limiting exposure of corporations to laws in certain states.

·         Mandatory breach notice within 48 hours

·         The right to expand the definition of PII (personally identifiable information) to new categories as deemed fit by the FTC

This act is a step in the right direction but there are at least two points to bring up.

Harm Threshold.

This basically determines who determines when the impact of a breach is worthy enough to merit disclosure, and that who is the business that incurred the breach. Harm threshold is intended to reduce unnecessary red tape involved in reporting a minor incident, but presents a potential loopholes to businesses who want to avoid the bad press that comes with reporting a breach.   This may be something that gets taken out of the proposed legislation as the harm threshold was a sticking point with HITECH legislation as well.

Another one off

Breach notification addresses one very limiting aspect of privacy. The US continues to address privacy issues at the federal level in a patchwork of industry and issue specific law that makes privacy a very complex concept for businesses to address. Enforcement is also limiting because most privacy violations still occur at the State not Federal level and lack of a single coherent piece of legislation also makes it more difficult for business to adhere to privacy requirements..

Kudos to Congresswoman Mary Bono Mack for her advocacy, and to US lawmakers for getting their behinds in gear to address large scale breaches. Despite its flaws this bill represents a leap forward in privacy legislation in the US.

I recently had a discussion at a dinner party with some people who did not have a Facebook page, and one person that wished they didn’t have a Facebook page. Boiling it down some,  there were two general complaints. (1) They didn’t care for the updates and contact they had with so called “Facebook Friends” which to me is an easy fix and (2) they were concerned about online privacy.

I was asked for my opinion on Facebook privacy settings, and I’ll state it here for the record, that I wouldn’t want anyone who wasn’t relatively social media savvy setting up a Facebook page*(not if they are concerned about their online privacy). The default settings are atrocious, and by the time most folks figure out Facebook will make changes to the interface. I’ve said it here before, and I’ll say it again: Facebook does not care about your privacy!

(*) I consider my dad to be very tech savvy for his generation, but my siblings and I still had to have an intervention to fix poor dad’s privacy settings.

I’ve also predicted (for whatever it’s worth) that when Facebook, as we know it, eventually meets its end, it will be as a result of its own ubiquity. Facebook used to have the cache of being offered to students only and grew popular in areas like Boston, New York and Toronto where there were plenty of web savvy young people.Today, Facebook belongs to the world, to your grandparents, and more importantly, to marketers at faceless corporations who want to meet consumers where they live.

Do I think the end is near for Facebook? Well, it’s not going to happen tomorrow.

Facebook is about to set another milestone with 700 million users worldwide, but that is exactly why it should have a target on it. With its current valuation there’s a distinct possibility that Facebook could diversify. Facebook took on 4 Square like functionality with geo-tagging and moved closer to being a true email provider by enhancing mail, although it will have to invest in something far more concrete to truly diversify itself as a corporation - think mobile phones or cloud infrastructure.

Privacy woes could quickly turn into security worries as spammers, hackers and criminals start abusing all that open code. It’s happening already with like-jacking and it won’t be long before Nigerian Princes befriend you on Facebook. In the same way that Hotmail has become synonymous with spam and Myspace became a Russian/Filipino wives catalog, Facebook, with its increasing access to user information, could become so overrun with social engineering, spamming and other abuses (including legal corporate abuse), that users will abandon Facebook.

As this article points out the Facebook decline is happening in Canada already. At one point Toronto was the Facebook hot-bed of the world. So while Canucks were the  early indicators of Facebook’s popularity, we could also be an early indicator of it’s demise.

NOTE: Tune in for more on social media and privacy this week as I tackle LinkedIn Analytics!

Greater consumer concern, fraud and a general poor showing by corporations should lead to more stringent privacy requirements for corporations worldwide.

Privacy in the news

Few images expressed the impact that privacy breaches are having on corporations as well as this recent photo of Sony executives bowing for forgiveness before the Japanese public in shame over the company’s Playstation Network and Qriocity data breaches which exposed 77 million accounts including personal information. This headline maker was just one of many corporate privacy breach stories that unfolded over the past few months.

The topic of privacy has even become fodder in the battle between web giants Facebook and Google. The fact that both Facebook and Google, who have both fought and lost major privacy battles for their countless violations, are accusing each other of violating the trust of the public signals the growing clout that privacy has in the mind of consumers. More than mere finger pointing, Facebook actually hired a PR firm to plant negative news about Google’s privacy violations.

Before the month of May ended we saw a major breach at Honda, and insider data breaches that cost the Bank of America  10 million dollars. The fraudsters in the bank case were able to leverage  personal information (PI) and email accounts in social engineering schemes that eventually granted them access user chequing accounts. This demonstrates the vulnerability of PI to fraud.

A Federal Response

Since writing this post, Sony and Epsilon, who actually got the whole ball rolling with a massive breach in late March, have agreed to testify before a congressional subcommittee with regards to recent privacy violations.  Don’t be surprised if this is this represents the beginnings of privacy legislation on the Federal level like none we’ve seen before. Consumers should expect (if not demand) the rollout of new corporate accountability laws with echoes of Sarbanes Oxley (SOX) and Dodd Frank, making privacy the corporate accountability dish du jour.

SOX legislation, a response to the Enron debacle and Dodd-Frank, which was passed in response to “too big to fail” bail-outs of American finance and automotive giants like AIG and GM both addressed corporate abuses on a Federal level.

Currently, US privacy laws are largely rooted in State Law. States such as Massachusetts, New York and California have very strict and prescriptive privacy regulations, however, privacy addressed at the state level limits liability to residents of these states only. For the most part, corporations found violating privacy laws have gotten off easy.

In fact, the most notable damage to corporations was really done through fraud and not private litigation. This explains why even Sony had measures in place to encrypt credit the potentially lost credit card data. Keep in mind that the current standard for securing payment card data is an industry regulated standard loosely monitored by the credit card companies and their banks, and that the law has very little to do with merchants compliance with PCI DSS.

An Anti-Privacy Corporate Culture

I once read that the difference between European and North American views on privacy is that Americans mistrust their government, but are willing to turn a blind eye to corporate privacy violations, whereas the Europeans are much more guarded about corporations, as a generality.

Now consider what happened in the Netherlands recently when Tom Tom sold private GPS data to police. This would be a direct violation of the privacy principle of onward transfer; one of the cornerstones of the Safe Harbor frameworks that the EU has set up for American corporations dealing with European clients. Frankly, corporation have been getting away with massive privacy violations on both sides of the pond.

Let’s face it, commerce, has made a nearly full migration to the web, and even where transactions occur within brick and mortar retailers, sophisticated point of sale (POS) tools create digital footprints that can be leveraged for data mining through business intelligence tools and savvy analytics. Corporate use of consumer data doesn’t need to contradict privacy principles, but it’s more profitable to cross the grey lines of acceptable use than to take measure to protect it. At least that’s the message the public is receiving.

While some may point to Sony’s poor financial performance as a motivator for improving privacy practices, Sony’s  stock took a dive before it reported the privacy breach which occurred between April 17^th and 19^th, 2011.

 The private sector is not going to regulate itself, and US legislation, a complex web of industry specific federal and state general legislation, is not designed to hold corporations accountable for how they collect, use and disclose personal information.

Key Takeaways:

• Privacy matters. Consumers and shareholders are making an impact on the importance corporations need to place on privacy.
• PI is proving to be as sensitive as payment card data. Corporations, like Honda, Sony and Bank of America are learning that loss of PI can be as detrimental to their image as loss of payment card data.
• PI is sufficient for identity theft. Hackers and fraudsters are becoming increasingly sophisticated when it comes to taking advantage of leaked personal information - not just payment card data.
• Privacy legislation in the US is ineffective. The rash of corporate privacy violations and intentional and unintentional merits federal intervention similar to SOX and Dodd-Frank.

Below is a copy of the email I received from Sony regarding their PSN breach.

I’m not surprised that Sony didn’t advise users to cancel their credit cards but they should have! This would (1) be an admission that cards may have been compromised - which they are very softly denying in their language and (2)hurt Sony’s bot tom line by essentially asking everyone to re-subscribe to their network with an an alternate credit card number to replace the one they don’t advise you to cancel.
<Dear naive and lucrative Sony PSN customer>

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

1) Temporarily turned off PlayStation Network and Qriocity services;

2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and

3) Quickly taken steps to enhance security and strengthen our network infrastructure by rebuilding our system to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password, login, password security answers, and handle/PSN online ID. It is also possible that your profile data may have been obtained, including purchase history and billing address (city, state/province, zip or postal code). If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.

 While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising that your credit card number (excluding security code) and expiration date may also have been obtained.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them as well. 

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit or similar types of reports. 

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience.  Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. 

Please contact us at 1-800-345-7669 should you have any additional questions.

Sincerely,

Sony Computer Entertainment and Sony Network Entertainment