The message from Discover landed with a digital thud in Linda Babcock’s email inbox.
“Your account information may have been compromised as part of an external data breach,” it warned. “No Discover owned or controlled systems were compromised by this incident. Because your security is important, we’re replacing your card(s) to help keep your card information safe.”
Southern Californian Babcock, 69, was relieved at first that Discover was protecting her from scammers and identity thieves. But she naturally wanted to know more about this “external security breach.”
Was it a big company she did business with frequently, such as Amazon? Was it a smaller company she might want to steer clear of in the future?
How extensive was the breach? Hundreds of credit card accounts endangered? Thousands? Millions?
“These seemed like fair questions,” Babcock told me. “But when I called Discover and asked, all I got were vague answers. Nobody would say anything. Privacy considerations, they kept saying.”
All about PR
It’s a problem faced by consumers nationwide. A business gets hacked and customers are then treated like children, given only the sketchiest details so as not to bruise the delicate feelings of the hacked business.
“Companies don’t want to take the public-relations hit,” said Beth Givens, executive director of the Privacy Rights Clearinghouse, a San Diego advocacy group. “They know that consumers equate a data breach with carelessness.”
For that reason, it can be almost impossible for people to make informed decisions about the digital trustworthiness of businesses, which often value their own privacy far more than that of customers.
It’s always a challenge for businesses when to tell – whether to tell – customers what happened.
Rabeh Soofi, a Los Angeles lawyer who focuses on privacy matters
I’m thinking of how the telecom industry lobbied aggressively to roll back privacy safeguards requiring internet service providers to ask customers’ permission before sharing information with marketers.
Republican lawmakers voted in March to allow companies to once again share people’s info without their say-so. President Trump signed it into law last month.
Fun fact: The telecom industry spent nearly $86 million on lobbying activities last year, according to the Center for Responsive Politics.
When it comes to security breaches, Californians enjoy some of the toughest notification rules in the country, aimed at bringing greater transparency to such incidents. But that doesn’t always translate into openness.
The reality is that consumers will only learn details of a security breach if the company involved fesses up. And few companies want to announce to the world that their digital defenses came up short.
Under California law, customers must be notified of a breach only when it is “reasonably believed” by a business that personal information has been acquired “by an unauthorized person.”
That standard, obviously, accommodates a lot of wiggle room – although it’s not as big a loophole as some other states’ even looser requirement that notification be made only if a business thinks a breach will “harm” a customer financially.
In Babcock’s case, the breach to that “external” company was deemed serious enough by Discover to warrant a new credit card. But it’s unknown if the company involved ever issued its own mea culpa to customers.
Nobody would say anything. Privacy considerations, they kept saying.
Linda Babcock, customer who tried to get information from Discover after a security breach
Babcock said that, aside from Discover’s email, she hasn’t received any other breach notifications in recent months.
California’s law says notification must be made “in the most expedient time possible” but “may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.” Such investigations can take months.
“It’s always a challenge for businesses when to tell – whether to tell – customers what happened,” said Rabeh Soofi, a Los Angeles lawyer who focuses on privacy matters.
She said she’s represented companies that “did a lot of soul-searching about whether they really needed to disclose a security breach to customers or employees.”
Here’s another problem: The state’s notification law has no teeth.
For enforcement, it relies on Section 17200 of the Business and Professions Code, which forbids unfair practices. That law levies a general-purpose fine of $2,500 “for each violation.”
It’s unclear, though, whether this would entail a $2,500 fine for the entire incident or $2,500 for each customer affected.
Many companies might assume they face only a $2,500 overall risk in keeping quiet because no company ever has been lapped with a fine of $2,500 per individual. That could produce a staggering penalty.
Take Yahoo. The Sunnyvale company has reported in recent months that the accounts of more than 1 billion users may have been hacked. That’s a potential fine of $2.5 trillion if the company had kept mum about its security lapses – more than the gross domestic product of France.
Running the numbers
Odds are, therefore, the financial risk of keeping a breach under wraps would be on the low side – and that’s presuming authorities even came after you.
A spokeswoman for California Attorney General Xavier Becerra said she was unaware of any such prosecution ever being made.
With all this in mind, Babcock can consider herself fortunate that Discover was watching out for her.
But what about the hacking that resulted in her getting a new credit card? It turns out that credit card companies such as Discover, Visa and MasterCard often have deals with merchants under which they agree not to identify the business in the event of a security breach.
They just replace the card and tell cardholders not to worry their pretty heads.
I asked Discover for more information about the breach that affected Babcock.
No comment, a spokesman said.