October 21, 2003

Another case for disclosure

The New York Times is reporting today on Victoria Secret, who was forced to pay $50,000 in damages due to customer information that leaked from their web site because of a security flaw. It's an interesting precedent to hold companies accountable for their security flaws. Elliot Spizer, the attorney general of New York is quoted as saying "A business that obtains consumers' personal information has a legal duty to ensure that the use and handling of that data complies with representations made about that company's security and privacy practices." An interesting point in the article is that Jason Sudowski, the customer who discovered the flaw, contacted Victoria Secret and was ignored. Then, he contacted MSNBC who contacted Victoria Secret, and they fixed the problem. This is another demonstration that public disclosure is the best way to keep companies accountable for security and privacy. Posted by Avi Rubin at October 21, 2003 08:23 AM