When data breaches occur should law enforcement & private companies withold notifying the public?
TX - Huntsville Police Department, Walker County Sheriff’s Office, University Police Department and the U. S. Secret Service worked together to determine the source of the thefts of debit and credit card numbers by virus-infected computers at Margarita’s Mexican Restaurant.
Margarita’s was hit by a type of “skimming,” in which credit card numbers are stolen before they can be encrypted by the restaurant’s point of sale system.
Skimming debit and credit cards numbers can occur many ways, remotely by computer hacking or on-site by a device placed on a computer, authorities said.
Residents began alerting the police to the problem almost three weeks ago, and a large jump in reported cases occurred about two weeks ago. Victims are still bringing cases to authorities as they find evidence in their bank and credit card statements.
Should law enforcement be withholding information like point of compromise for fear of hurting a business? Law enforcement may take the position that it’s not their place to notify the public and that it’s on the entity to disclose the information, but there’s something that doesn’t sit right about this approach. Doesn’t law enforcement work for us and not for the business? I wouldn’t mind if they tell an entity, “Look, we’ll give you today to get a press release or notice out to the media or on your web site or store door, but after that, we will disclose if you haven’t.” But that doesn’t seem to be what happened here. In this case, law enforcement decided that the risk to consumers outweighed other concerns. But if it hadn’t….. then what?
The banks cancel cards and don’t tell us where a breach occurred – often because they’re not told, either.
Law enforcement may not tell us where a breach occurred.
Breached entities may not tell us when they’ve been breached.
This is really unacceptable.
And no, there’s no notice on Margarita’s web site about the breach as of the time of this posting.
Who's job is it to warn consumers? The restaurant’s, says the feds. Local authorities, however, stepped in front of our popular local restaurant, arguing that the business itself was also a victim. At the time and in a stroke of community paternalism, The Huntsville Item newpaper agreed.
Some Huntsville residents suffered losses, inconvenience and the indignity of having a card declined because of the theft of numbers that occurred at the restaurant they favored with their business. Likewise, banks and credit card companies are out hundreds if not thousands of dollars because of what happened in Huntsville.
The Item warned its readers of this massive case of fraud through the enterprise of its reporters — by following up on rumors and listening to the police scanner. The paper could have —and should have —followed up on early rumors about what business had been linked to the crime.
That way, we might have been able to alert you to the threat that remained even after we reported that the “problem” had been fixed. That buck stops on the desk of the managing editor.
Some of you said you appreciate the quandary The Item and local authorities faced — warning consumers or protecting a victimized business. And yes, we want investigators to investigate and businesses to be accountable to their customers. But, to the best of its ability, the local newspaper should have your back when no one else does. We apologize.
Links:
http://itemonline.com/opinion/x1241072255/Our-View-Whose-job-was-it-to-warn-us
http://itemonline.com/local/x202403217/Police-weigh-risks-when-informing-public-about-credit-card-fraud