Data Theft Notifications - How Soon is Too Soon? 137
bsdbigot asks: "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,' which includes 'outside agencies,' but they stop short of saying that there is any theft or breach. How soon should such a company let its customers know that their data has been compromised? Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?"
"Personally, I believe a security breach has occurred. So, I asked them how many people are affected by this; they feel certain that it's an isolated problem, because they haven't received a deluge of complaints. They don't know how these spammers got my reserved email address from my online broker (but they didn't sell it, they are quite clear on that), so how can they be so certain it's not their entire database, and how can they be so sure that things like my SSN and bank routing information wasn't also stolen?"
Safe/sorry (Score:5, Informative)
File complaints with the federal and your state Attorney Generals against the trading company immediately. Consider a 6-month paid monitoring service from a major credit reporting bureau. Both the feds and your state will have advisory hotlines. IANAL and slashdot is not the place you want to go for this kind of information. Basically, don't fsck around if you think anything has been compromised.
I've been there, and these steps cost me a few dollars but saved me tens of thousands. Overseas types are pretty damned creative with your numbers. paranoid != not out to get you.
Re:How stupid is E*Trade? (Score:5, Informative)
Are we talking about Ameritrade? (Score:4, Informative)
"I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,'
Is the trading company called Ameritrade by any chance? They got a leak problem, maybe an insider job. Look at this thread on spamgourmet (an anti-spam site that I help with): http://bbs.spamgourmet.com/viewtopic.php?t=81&star t=60 [spamgourmet.com]
As stupid as Ameritrade (Score:2, Informative)
Ameritrade/TD-W also let its email addresses out, too. My specifically-for-Ameritrade email address got vanilla (same type as my other accounts; not investing at all) spam. So I changed it. Again.
DT
certain laws may apply (Score:3, Informative)
ANSI and BBB Standards (Score:3, Informative)
Whether or not this results in the answer to your question (how long notification should be given), at least this is a step in the right direction for some centralized thinking instead of everyone doing it on their own.
Re:Maybe YOU were hacked (Score:3, Informative)
Re:Do more (Score:3, Informative)
Your bank reports capital gains on your accounts to the IRS. They need your SSN. If you don't give it to them, they probably won't give you an account.