written by Pierluigi Stella
So 12 States are asking for more information which, as far as I know, Chase is not even obligated to provide.
One thing needs to be cleared immediately. Why do we continue to consider SSN sensitive, but my home address and phone number no? My cellphone is not publicly available; so if hackers stole that information, to me that’s sensitive. And, in a way, as much as my SSN. So let’s be clear – sensitive information was indeed stolen! Consider that many of us only use a cellphone, and cellphone numbers aren’t in the phone books. Clearly, this information is confidential, private and sensitive. My home address may not be so ‘private’, unfortunately, but since my phone number isn’t in the phone book, my home address isn’t publicly available.
Hence, for all those like me who only use a cellphone, a home address is sensitive information as well!
Then let’s consider the letter.
What good can it do?
Chase may want to save face and reply, but I’m not sure what authority these States have. I’d need to chat with a lawyer to understand regulations, jurisdiction, and associated issues. Fifty States, 48 data breach disclosure laws; I’m pretty sure Chase has already complied with all of them. Security practices are already audited by the proper organisms, such as the Feds and the FDIC, which both mandate very strict practices and both audit every bank more than once a year.
Therefore, rather than asking Chase for information the bank likely already provided to the controlling organisms, why not ask those organisms if they’re allowed and willing to share that information?
We don’t need more auditing bodies; the banking industry has plenty! And with all due respect, States don’t have qualified bodies capable of reviewing the information that has been requested. This is already being done, it’s clearly only a political stunt to demonstrate to the public that the State authorities are doing something about cybercrime. Well, I don’t believe this is the direction they should be going. They should start by securing their own infrastructure and our data.
As far as I recall by attending industry trade shows, local and state government security lags behind those of banks by about 10 years. At the very least. If they haven’t all been taken down yet it’s only because hackers don’t care about the data these public entities are protecting (or not protecting). Lack of funding is always the main complaint of the managers deputed to make those purchases. If the States truly want to do something serious about security, why not start by allocating more budget to the local governments; making it mandatory that they update their security to standards comparable to those of banks?
Because believe me when I say, there’s no one in this country more secured, more scrutinized and more up-to-date when it comes to security than the Financial sector.
Chase issue or not, all other verticals as well as the public sector should take a lesson on this topic from the financial industry. I have no idea what happened at Chase; but I know that if it happened to them, it could very easily have happened to anybody else.