Timely Breach Disclosure
Yes, we know that information security in an interconnected world is not trivial. We accept that configuration errors or malicious insiders or new, complex threats might conspire to provide opportunities for a breach. But who says that it is acceptable that notification and disclosure of a breach be done months or years after the incident?
That's what appears to have happened with TD Ameritrade this past month. On September 14th, it was reported that TD Ameritrade suffered a breach, in which the names and contact info of all of its customers -- over 6 million -- was exposed. They have further indicated that no Social Security or financial information was exposed, even though this data was stored in the same database (but probably in a different table) as the name and contact info.
There is now a class action lawsuit pending against them because of the stock-related spams that were spawned from this breach, and the major complaint is that TD Ameritrade was informed about the spam issue as early as October 2006, but initiated no investigations into the matter until at least four months after the lawsuit was filed in May 2007.
Unfortunately, bad news doesn't get much better with the passage of time. It will be very interesting to see how they are impacted from a brand equity standpoint based on how this lawsuit turns out...
About Logik!
Andrew S. Baker aka ASB aka Logik!
Andrew is an accomplished, hands-on IT Executive with a solid track record of providing timely and cost-effective business solutions using technology. With over 16 years experience in Information Technology, he has proven to be effective both as a Team Leader and as an individual contributor in designing, deploying, securing and maintaining enterprise networks.
His personal interests include Astronomy, Basketball, Bible Study, Chess, Comics, Computers,
Family Life Ministries, Reading and Strategy/Role Playing games...
Some of his contributions include several whitepapers on technology and Information Security, the UltraTech Knowledgebase, various postings to technology mailing lists and forums, active participation on LinkedIn Answers, along with a number of interviews for articles published in industry magazines.
A condensed version of
Andrew's current resume is available here.