I agree that McDanel's response was justified. In fact I believe he had an obligation to take some sort of action that would lead to improved customer privacy. Tornado is definitely obligated to do so according to California state law. Furthermore, to assume McDanel stole an email list from Tornado is just that, an assumption. There are tons of legitimate ways to find email addresses.

I personally would have taken a bit more creative approach. He should have signed himself up for the service. As a legitimate customer, he could have taken the identified vulnerability to state prosecutors and put Tornado on the other side of the table.

The following California state law gives any organization, for-profit or otherwise plenty of fiscal incentive to fix security holes. As you stated "the customer's best interest are a means to the primary purpose" which makes the customer's best interest the company's best interest by default.

"According to SB 1386, any business, government agency, or individual who conducts business in California, is required to inform their customers of any incident where their unencrypted personal information could have been accessed by an unauthorized person. The law pertains to any organization, whether based in California or in other parts of the country. Personal information includes an individual's name along with their Social Security number, driver's license number, state identification number, or credit or debit card numbers with security codes." (obtained from www.nfr.com)

Tornado is located in California so this law absolutely applies.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/179/21791#21791