For you youngsters out there pretending to be InfoSecurity people let me shed some light on the subject here regarding the responsibility of the provider.

Years ago an incident occurred regarding a birth control pill. Which was discovered to have serious side effects. (i.e. birth defects) The problem was discovered by one of the scientists who developed the pill. He told the company, which under the LAW at the time wasn't under any obligation to make the information public.

Thousands of women had children with birth defects.

Now I realize this is only e-mail, which could and probably did contain information like, say, credit card information. Due to the "flood" of e-mails to inform their customers of the problem they "deleted" the e-mail evidence so as not to alert their clients of the problem. So no one could have taken any action if his or her credit card information had been lifted.

Now I wonder just how many of them will end up paying for something because of the denial of the provider?

Even if it's only $100 per customer, and they have 10,000 customers, it adds up. The company is now relying on the LAW not allowing a class action suit especially since the Bush administrations staff John Ashcroft has provided that states can send their frivolous law suits to federal court.

Would this be considered frivolous? Sure it's only $100 per customer. Who wins?

Well, actually the customer gets pissed, leaves the company the company goes out of business, lots of people laid off looking for work, and a foreign company out of China starts taking up the slack and provides a cheaper e-mail.

Bet you republicans feel safe now, the LAW is protecting you.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/179/21557#21557