In a great piece of original reporting by Gripe Line Blogger Ed Foster, at least one of the banks whose customers were affected by the CardSystems security breach doesn’t feel it had any obligation to notify its customers.

I’ve previously covered the CardSystems security problems, and noted several times here and on the radio, that the main reason we’re learning about these privacy breaches is because of new laws — such as one in California — that requires companies to notify consumers whose private information has been compromised. These laws are a common sense requirement, allowing consumers to have the information they need to be on higher alert for evidence of identity theft.

But as Ed Foster reports, the folks at Chase Manhattan Bank think the law is open to interpretation and don’t think its customers need to know about the risks they face:

“Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or an account password be involved,” [a Chase spokesman] told me. “None of those things were accessed in this case.”

As Foster notes, many other financial institutions are taking a different approach, believing that their customers might appreciate knowing when trouble might be around the corner. And, as previously noted, at least one state attorney general has decided that a failure to provide timely notice to consumers was a crime.

If your bank hasn’t notified you about any privacy risk to your credit card, it might be worth giving their customer service department a call to see if they can tell you definitively whether your card was at risk. If they don’t know or refuse to tell you, this might be a good opportunity close your account, cut up your card, and consider reducing your risk by finding a bank that cares more about you.

In a report to Congress issued last Friday, The Federal Trade Commission (FTC) said it does not recommend requiring unsolicited commercial e-mail to include “ADV” or other labels in the subject line as a means to reduce spam.

In a 46-page report, which included a half-dozen citations to brilliant comments by this humble and faithful correspondent ;), the Commission’s report states that, although subject line labeling may appear to offer a simple legislative fix for the problem of spam, the Commission doubts that it would materially help consumers or ISPs to block or filter unwanted commercial e-mail. As the report notes:

Subject line labeling seems appealing because ISPs theoretically could preset their filters to screen out all email messages containing a particular label. However, subject line labeling is a rather crude way to filter and likely would not be very effective to combat spam because it would not distinguish spam from legitimate marketers’ UCE that some consumers may want to receive. Only lawabiding commercial emailers would label their UCE. Spammers would simply ignore such a requirement. … [As] a representative from PrivacyClue noted:

The reality is that most spammers these days are still engaged in activities that range from marginally legal to quite illegal, and as a result, failure to comply with ADV is no great leap for them to make…

As the Kansas City Star reported, the Commission’s opinion was not unanimous. In a dissenting opinion, Commissioner Jon Leibowitz said:

“Requiring commercial e-mail to be labeled is not a panacea but, as the Can Spam Act clearly recognizes, there is no single bullet theory for solving the spam problem.” He also said he thought that Congress had in fact intended labeling as a device to help consumers deal with unsolicited commercial e-mail even from legitimate marketers.

OK, I freely admit that I was trying to be cutesy when I titled my April 19 blog entry “Waiting for More Shoes to Drop?” But it seems that I was prescient, because indeed, another shoe has dropped — in the form of a lawsuit against DSW Shoe Warehouse by the Ohio Attorney General.

According to DM News, Ohio Attorney General Jim Petro is suing DSW for failure to notify those consumers whose data was stolen from company computers back in March 2005.

The issue of liability for stolen data is going to become an increasingly ripe topic for debate as more and more data breaches become known to the public. A growing number of Federal Trade Commission enforcement actions, such as the Guess? Jeans case, have put companies on notice that they should expect to be held responsible if they fail to take reasonable precautions to prevent data theft.

As I discussed on The David Lawrence Show earlier this week, the idea of holding software companies responsible for security problems in their products isn’t a new one. And it’s only a small logical leap from there to holding companies responsible for failure to use readily available technologies — such as database encryption — to protect vulnerable data.

Three cheers for Symantec! As I reported recently, malware companies have been on the offensive against anti-malware companies, trying to threaten, cajole, and sweet-talk anti-malware companies into not labeling their wretched products as “adware” and “spyware.”

According to News.com, after months of going ’round and ’round with adware maker Hotbar (whose insidious and unwanted “toolbar” I have removed from more than a few friends’ computers), Symantec finally tired of Hotbar’s bellicose bloviations and filed a lawsuit seeking the right to label Hotbar’s adware as, well, adware.

“We have been talking with (Hotbar) for the last several months, and over the course of that time, they have threatened to sue us on a regular basis,” [Symantec spokesman Cris] Paden said. … Symantec said it is not asking for money, but is seeking an affirmation that Hotbar products are indeed adware and can be treated as security risks. “We are simply asking for the judge to say that we are within our rights to detect Hotbar,” Paden said. The company would then be able to help customers remove the toolbars from their PCs.

The News.com article goes on to discuss several other anti-spyware companies who are also being threatened by the Hotbar hotheads. Meanwhile, Hotbar is apparently unlawfully representing itself as a licensee of the TRUSTe privacy program. When you click on the TRUSTe logo, it says:

www.hotbar.com IS NOT A VALID TRUSTe MEMBER WEB SITE

The unauthorized display of the TRUSTe trustmark is unlawful and violates a TRUSTe trademark. If you clicked on the TRUSTe trustmark or Click to Verify seal to get to this page, the site you are visiting does not have permission to display the seal.

I applaud Symantec for standing up to the petulant twits at Hotbar, and more importantly, for seeking a legal precedent that would potentially establish a legal right to call a spade a spade. Hopefully Symantec’s discovery of a backbone will inspire McAfee and other anti-malware companies to stand up to the malware industry’s Jedi Mind Tricks.

Meanwhile, the message to Hotbar is simple. When you’re in the malware business, you have to expect that when you depend on bullying tactics, one day you’re going to bully somebody bigger than you, and get yourself smacked right back. In my opinion, Hotbar should shut up and take their lumps like a grown-up. Like their cousins in the spam industry, the malware companies need to accept that there are more people gunning for them than there are ethically-challenged marketers to keep hiring them. The tide is shifting, and this market isn’t going to be a hospitable place to peddle that ‘ware for much longer.

Unless you’re prepared to set up shop in China or some other nation where enough money will buy you a secure homebase for businesses built on shaky moral grounds, it’s time for malware vendors to accept that the golden age of malware may be drawing to a close. Certainly we’re not there yet, but as Spyware Warrior notes, vast numbers of people are trying to get rid of malware. If it hasn’t already, the uninstall rate will eventually surpass the install rate of malware, despite the increasingly desperate techniques some malware companies are using.

Sorry Hotbar! You had a good run. But as Symantec knows, there’s more profit to be had in erasing your products than playing word games to protect them.

On tonight’s David Lawrence Show, I talked about the recent Freedom of Information Act request by the Electronic Privacy Information Center which uncovered a sales pitch to the FBI by embattled data broker ChoicePoint. I also talked about tomorrow’s arguments in the US Supreme Court in MGM v. Grokster and the rising use of vehicle “black box” recorders.

I also made my Podcasting Debut — my ‘coming out’ if you will — on David’s Podcast for tonight. It’s a free download, only 9mb, and just a few minutes long, so listen in!

Meanwhile on the ChoicePoint issue, I traded some email today with CNET News.com’s Matt Hines who wrote about ChoicePoint and the FBI in his Security News.Blog:

Despite ChoicePoint’s claim of innocence, some privacy experts said they would not be surprised that the company, which has experienced a string of high-profile consumer data losses, would entertain such an approach to marketing itself to the FBI and others. In fact, Ray Everett-Church, an attorney who runs his own consulting company, PrivacyClue, said that ChoicePoint likely knew that the FBI might find such information particularly compelling.

Check out Matt’s blog entry for my very sassy commentary! ;-)

This is going to be my only entry discussing the Schiavo disaster. And it is a disaster. It used to be merely a tragic story, but when the religio-political opportunists got involved, it turned into a farce, and then rushed headlong into being a disaster. (more…)

Tonight’s David Lawrence Show started out about the great ruling by a California judge that the state’s ban on gay marriage is unconstitutional. But then the rest of the hour devolved into David’s rantings about the FCC. I don’t disagree, however, with David’s rants… the FCC is filling its docket with the insane whining of puritanical fascists, and threatening to bankrupt anybody who dares utter a dirty word. But I mostly enjoy teasing David when he begins to froth at the mouth. :-)

You’ll have to buy two segments (yes, a whole 50¢ you cheap bastard!) because I stayed on into the second hour.

Most data brokers are operating their businesses in a fashion that suggests they don’t fully appreciate the consequences of their screw-ups. Perhaps they should learn from the dynamite industry that more than the average duty of care is necessary for people in their line of business. In my monthly column for eSecurityPlanet.com, I discuss why data brokers seem to think they’re in a less dangerous line of work than they really are.

Our dear friend and partner in crime, Lili VonSchtupp, cuts her finger, and I numb her mind by talking about the “Induce Act”, which would hold operators of file-trading networks responsible for profiting from the trade in pirated intellectual property. Users of PayPal and BitPass can easily and cheaply download tonight’s edition of The David Lawrence Show with just a few clicks of the mouse!

The message from the cubicled dungeons of corporate America is clear: Blog at your own risk. In my monthly column for eSecurityPlanet.com, I take a look at the recent rash of blogger firings, including a highly publicized incident involving a Google employee, and explain why privacy is impacted when people are threatened into silence.