Data Theft Notifications - How Soon is Too Soon?

bsdbigot asks: "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,' which includes 'outside agencies,' but they stop short of saying that there is any theft or breach. How soon should such a company let its customers know that their data has been compromised? Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?" "Personally, I believe a security breach has occurred. So, I asked them how many people are affected by this; they feel certain that it's an isolated problem, because they haven't received a deluge of complaints. They don't know how these spammers got my reserved email address from my online broker (but they didn't sell it, they are quite clear on that), so how can they be so certain it's not their entire database, and how can they be so sure that things like my SSN and bank routing information wasn't also stolen?"

Safe/sorry

[sporkme]

Lock it down. Cancel the email account and have any attached credit cards cancelled/changed. Change your checking account number. Keep thorough records and dig to find recent bank statements, etc. This can be a huge hassle.

File complaints with the federal and your state Attorney Generals against the trading company immediately. Consider a 6-month paid monitoring service from a major credit reporting bureau. Both the feds and your state will have advisory hotlines. IANAL and slashdot is not the place you want to go for this kind of information. Basically, don't fsck around if you think anything has been compromised.

I've been there, and these steps cost me a few dollars but saved me tens of thousands. Overseas types are pretty damned creative with your numbers. paranoid != not out to get you.

Re:How stupid is E*Trade?

[(H)elix1]

And for those who can't run their own email servers, a handy trick for those using a gmail account is to add a '+' to the user name, and it will deliver. Say I had a gmail account called slashdot@gmail.com. I could email slashdot+etrade@gmail.com and it will resolve to the slashdot@gmail.com address. Very handy for finding out who is being bad with privacy information when they ask for an email address.

Are we talking about Ameritrade?

[SysKoll]

"I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,'

Is the trading company called Ameritrade by any chance? They got a leak problem, maybe an insider job. Look at this thread on spamgourmet (an anti-spam site that I help with): http://bbs.spamgourmet.com/viewtopic.php?t=81&star t=60

As stupid as Ameritrade

[DuctTape]

I've since opened an account with TD Waterhouse (aka Ameritrade)...

Ameritrade/TD-W also let its email addresses out, too. My specifically-for-Ameritrade email address got vanilla (same type as my other accounts; not investing at all) spam. So I changed it. Again.

DT

certain laws may apply

[sharp-bang]

In the banking industry, the applicable regulation is fairly strict... the institution must "promptly" notify customers of a material breach and there are relatively few loopholes. So if your broker or whoever was part of a bank, then this would apply. However, if your e-mail address was all that was compromised, they don't really need to notify you. By definition, e-mail addresses are not private information, any more than your physical address is. A number of states, notably California, have privacy laws that can be invoked, but the trigger for a material breach is usually the compromise of a combination of personal identifying data such as name and address (including e-mail addresses) and sensitive nonpublic personal information such as login credentials, account numbers, etc. You might see whether there is a law in your state that applies.

ANSI and BBB Standards

[joeflies]

Although this was JUST announced a few weeks ago, ANSI and the Better Business Bureau are setting up a working group to define standards and best practices for how to address identity theft. The scope is to first catalogue what standards and best practices exist, and then go beyond and define what else needs to be documented.

Whether or not this results in the answer to your question (how long notification should be given), at least this is a step in the right direction for some centralized thinking instead of everyone doing it on their own.

Re:Maybe YOU were hacked

[Asic+Eng]

The trading company might also have given out the address voluntarily (and now doesn't want to admit to that) or it could be a lucky guess of the spammer (maybe a dictionary attack of sorts). I know they used to try use commonly-used nicks on my domain for a while. (Then I turned the catch-all off...)

Re:Do more

[The+Snowman]

Try it next time you sign up for a bank account.

Your bank reports capital gains on your accounts to the IRS. They need your SSN. If you don't give it to them, they probably won't give you an account.