Despite the fact that most consumer lawsuits revolving around data breaches do not pan out (assuming they even get their day in court: most are summarily dismissed, which is to say that the court won't even listen to arguments), that doesn't stop people from filing them. It's even getting to the Canadians, a nation which US folklore deems "not litigious." According to an informationweek.com article, Canadians are suing Honda Canada for CAN $200 million, which translates to $206 million in US currency. If they win, it would be a pittance to any security measures Honda decided not to put in place. (It's doubtful that disk encryption software like AlertBoot would have helped in this case since it sounds like it was a SQL injection attack. On the other hand, there's more to data security other than encryption software).
Despite the fact that most consumer lawsuits revolving around data breaches do not pan out (assuming they even get their day in court: most are summarily dismissed, which is to say that the court won't even listen to arguments), that doesn't stop people from filing them. It's even getting to the Canadians, a nation which US folklore deems "not litigious."
According to an informationweek.com article, Canadians are suing Honda Canada for CAN $200 million, which translates to $206 million in US currency. If they win, it would be a pittance to any security measures Honda decided not to put in place. (It's doubtful that disk encryption software like AlertBoot would have helped in this case since it sounds like it was a SQL injection attack. On the other hand, there's more to data security other than encryption software).
A breach in March left 283,000 Canadian Honda and Acura owners' information exposed: names, addresses, and VINs, as well as Honda Financial Services account numbers. The breach is not your run-of-the-mill breach: According to news reports, attackers accessed personalized website pages that Honda built with pre-populated customer data before inviting those customers in 2009 to access and customize the pages. As a result, even customers who hadn't signed up for myHonda may still have had their details compromised. [informationweek.com, my emphasis] It's the kind of data breach you don't want in your hands. Certainly, the client information was submitted by the clients themselves at some point, and Honda obtained the authorization to use it in the above way via some legalese / terms of conditions / what have you. But to have a breach where the clients are not signed up? Legalese or not, you're going to have clients that are seriously offended and will swear not to buy anything from you ever again.
A breach in March left 283,000 Canadian Honda and Acura owners' information exposed: names, addresses, and VINs, as well as Honda Financial Services account numbers.
The breach is not your run-of-the-mill breach:
According to news reports, attackers accessed personalized website pages that Honda built with pre-populated customer data before inviting those customers in 2009 to access and customize the pages. As a result, even customers who hadn't signed up for myHonda may still have had their details compromised. [informationweek.com, my emphasis]
It's the kind of data breach you don't want in your hands. Certainly, the client information was submitted by the clients themselves at some point, and Honda obtained the authorization to use it in the above way via some legalese / terms of conditions / what have you.
But to have a breach where the clients are not signed up? Legalese or not, you're going to have clients that are seriously offended and will swear not to buy anything from you ever again.
The informationweek.com article notes that Canadian laws require data collectors to expunge any personal data that has served its purpose: Data breaches like these underline the importance of one of the fundamental tenets of Canadian privacy law: that personal information shall be retained only as long as necessary to fulfill the purposes for which it was created or collected and, once no longer required, should be destroyed, erased, or made anonymous [ informationweek.com] Of course, the question is: when is a particular set of data "all used up?" After all, marketing is not a one-shot deal, and it can't be (and it won't be for the foreseeable future). That's why if I turn on the TV today, I see that most are ads for the same products that I've known of 10 years back, with a handful of new products that will sing its siren song in the next 6 months. Certainly, if Honda had purged the data, they wouldn't be sitting on this mess today. At the same time, who's to say whether they'd be sitting on some other mess, such as finding that they're going to have go out there and acquire customer information at a substantial price because they just purged perfectly good information (already tailored for their company)? Of course, all of this is a moot point. As many experts have pointed out over the past month with all the high-profile breaches we've witnessed, there is already a known and established way of avoiding SQL injection attacks. Employing these methods doesn't cost extra, nor does it slow down production time. The truth is that Honda could have avoided this current morass not by scrubbing data (which is always a good idea, if you have any sensitive data that won't be used), but by employing good security practices.
The informationweek.com article notes that Canadian laws require data collectors to expunge any personal data that has served its purpose:
Data breaches like these underline the importance of one of the fundamental tenets of Canadian privacy law: that personal information shall be retained only as long as necessary to fulfill the purposes for which it was created or collected and, once no longer required, should be destroyed, erased, or made anonymous [ informationweek.com]
Of course, the question is: when is a particular set of data "all used up?" After all, marketing is not a one-shot deal, and it can't be (and it won't be for the foreseeable future). That's why if I turn on the TV today, I see that most are ads for the same products that I've known of 10 years back, with a handful of new products that will sing its siren song in the next 6 months.
Certainly, if Honda had purged the data, they wouldn't be sitting on this mess today. At the same time, who's to say whether they'd be sitting on some other mess, such as finding that they're going to have go out there and acquire customer information at a substantial price because they just purged perfectly good information (already tailored for their company)?
Of course, all of this is a moot point. As many experts have pointed out over the past month with all the high-profile breaches we've witnessed, there is already a known and established way of avoiding SQL injection attacks. Employing these methods doesn't cost extra, nor does it slow down production time.
The truth is that Honda could have avoided this current morass not by scrubbing data (which is always a good idea, if you have any sensitive data that won't be used), but by employing good security practices.
Related Articles and Sites:http://www.informationweek.com/news/security/attacks/229700261