In an article (“Credit card numbers reported stolen from R.I. state Web site“) about the Rhode Island breach, I found the following quotes:
The breach on Dec. 28 was detected during a routine security audit and reported to the state government the following day, Loring said. At the time, the company believed only eight credit cardholders were affected, she said.
NEI tightened security, Loring said, although she declined to describe the measures. She said the Web site is “absolutely safe” and the intrusion was reported to financial institutions.
The state did not tell consumers about the breach in December because the hacking appeared limited, Najarian said.
So let me get this straight…The breach was reported to financial institutions, but not consumers…The people who found the breach made several mistakes in their analysis. The people who found the breach couldn’t be bothered to tell eight citizens about what had happened.
Was there a question of why we don’t want a ‘no apparent risk’ clause in the laws?
(Little girl illustrating corporate strategy photo by Brndnprkns.)