Tuesday, October 28, 2003

SB 1386 Impotent While CardCops Monitor for Your Card

Kevin Poulsen wrote another excellent article at SecurityFocus. He describes how no one has reported compromise of consumer credit card data in the four months since California's SB 1386, now enshrined in the state's civil code as 1798.29 and 1798.82-1798.84, was enacted. The is not unexpected. How can the authorities know who was compromised? It takes months to years for companies to make such discoveries on their own.

The most interesting aspect of the article is the mention of CardCops.com, which "offers consumers a paid notification service, in which he'll [CardCops] warn his customers if he spots their information in the chat rooms and websites frequented by credit card thieves." I was skeptical but the article claims "this month alone he [CardCops] traced stolen credit card information to breaches at five different online merchants, ranging from mid-sized businesses to modest mom-and-pop operations. When he contacted a sample of the exposed consumers, he was, in each case, the first to give them the bad news. "