Breached companies are not entitled to anonymity
Does the recent decision by District Judge Douglas Woodlock – to unseal the identities of two companies (J.C. Penney and Wet Seal) whose customer data has been stolen by TJX hacker Albert Gonzales – mark a change in the government stance towards breach disclosure and the previously upheld habit of shielding corporation from economical loss that would inevitably follow an obligatory revelation of their identity?
J.C. Penney fought for months to keep the fact that their payment card network was breached under wraps, claiming that no data was stolen and that they don’t want their name to be linked with the case.
According to Wired, their lawyers tried to argue that the company was entitled to anonymity under the law (Crime Victims’ Rights Act), but they were pitted against Assistant U.S. Attorney Stephen Heymann, who argued that “most people want to know when their credit or debit card numbers may have been put at risk, not simply if, and after, they have clearly been stolen.”
“Knowing that card holders will be concerned whenever their credit or debit card information is put at risk, if they know of it, provides an incentive to companies to invest in the protections their customers would want,” he claimed.
It is unusual to see a federal prosecutor advocating this stance, especially when in the past the unofficial common practice of the government and the law enforcement agencies was to keep silent and protect the companies, so that they would have an incentive to report breaches.
J.C. Penney’s attorneys tried to convince the judge that revealing the company’s identity might harm future law enforcement efforts and make breached companies less inclined to report the incident or cooperate with the law, but the judge would have none of it and, finally, determined that companies weren’t entitled to privacy and special benefits in this matter.