My last post highlighted the well-publicized Epsilon data breach that affected so many consumers like me.

But what if a company forgets to tell its customers?

That may have happened to me. Our family probably does over 80% of our grocery shopping at Fry’s Food Stores, owned by The Kroger Co. I’m quite sure they have my email address, because of their store affiliate card program. However, when Kroger was victimized by the Epsilon data breach, I did not get a notification or apology from Kroger.

Does that mean they don’t care, or by some stroke of luck, my email address wasn’t compromised? I may never know … but will wonder.

On April 4th, I received apology letters from my bank, a major retailer, a large pharmaceutical chain, and three hotel companies.  All of the apologies were similar, but I’ll share just one:

Dear Ritz-Carlton Customer,

We were recently notified by Epsilon, a marketing vendor The Ritz-Carlton Hotel Company uses to manage customer emails, that an unauthorized third party gained access to a number of their accounts including The Ritz-Carlton email list. We want to assure you that the only information obtained was your name and email address. Your account and any other personally identifiable information are not at risk.

Please visit our FAQ to learn more.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that The Ritz-Carlton does not send emails requesting customers to verify personal information.

It must have really hurt Ritz Carlton, that paragon of sophistication and propriety, to fall on its virtual knees and send out thousands for such emails.

I subsequently learned that USA Today reported:

With the possible theft of millions of e-mail addresses from an advertising company, several large companies have started warning customers to expect fraudulent e-mails that try to coax account login information from them.

Perhaps the Wall Street Journal wanted to make me feel special, one of select few:

Alliance Data (parent of Epsilon) reiterated that social-security and credit-card numbers were not stolen. It also said that only 2% of its more than 2,500 customers were affected.

I have yet to know whether there will be a harmful personal affect from this data breach. But it does illustrate that we are all vulnerable, whenever we trust any confidential information to someone else.

Technorati Tags: Identity Theft, Information Security, Privacy

Triggered by Dave Kearn’s article today, “What is Privacy, Really,” I spent a few minutes this afternoon with my good friend dictionary.com.  It is amazing what one can learn about word meanings by (virtually) flipping through the pages of a dictionary.

Privacy: the state of being free from intrusion or disturbance in one’s private life or affairs: the right to privacy.

This was a bit circular in its reasoning, so I looked up “private”:

Private: confined to or intended only for the persons immediately concerned; confidential: a private meeting.

These meanings match well Dave’s desire to exercise control over when he divulges personal information:

I can see no reason to cough up details of my business, number of employees, target date for purchase, types of computers, operating systems, applications, etc., simply to read a high-class marketing document

A related term is confidential – again related to the ability to keep information private:

Confidential: spoken, written, acted on, etc., in strict privacy or secrecy; secret: a confidential remark.

For example, I can assure you that there are details of my personal life that nobody but my wife knows.  We intend to keep it that way, even if powers like Facebook and Google would have it otherwise.

The Wall Street Journal reported today:

The Supreme Court ruled unanimously that personal-privacy rights don’t apply to corporations under the Freedom of Information Act.

Tuesday’s ruling was a defeat for AT&T Inc., which was seeking to block the disclosure of emails and other potentially embarrassing documents it provided to the Federal Communications Commission during a 2004 investigation by the agency of whether the telecommunications giant overbilled the New London, Conn., public schools.

I am not a legal scholar by any means, but it seems that the courts often split hairs, sometimes treating corporations as persons and other times as non-persons.  In this case, non-personhood prevailed.

The court, in an opinion written by Chief Justice John Roberts, said corporations don’t get to enjoy certain personal-privacy exemptions included in FOIA, a disclosure law that allows the public to gain access to some documents filed with the government.

"The protection in FOIA against disclosure of law-enforcement information on the ground that it would constitute an unwarranted invasion of personal privacy does not extend to corporations," Chief Justice Roberts wrote. "We trust that AT&T will not take it personally."

That last comment by Chief Justice Roberts is an interesting play on words.  According to his judgment, AT&T couldn’t take it “personally”.  They had to take it “corporately.”

How will it affect us?  Opinions vary:

News-industry groups and open-government advocacy organizations argued that AT&T’s position could place a wide range of records on corporate-behavior off limits to the public.

Several business groups backed AT&T. The U.S. Chamber of Commerce said the threat of public disclosure could have a chilling effect on corporations’ willingness to cooperate with law-enforcement authorities.

It will be interesting to watch where this leads.

Obama Eyeing Internet ID for Americans – Tech Talk – CBS News.

Do we really want the President – or any federal official – establishing our personal Internet ID’s?  Sounds like government over-reach to me.

I currently publish two blogs: “Discovering Identity” (this one) and “I Love Freedom.”  Usually, the information I publish on these blogs doesn’t overlap, but this subject certainly does, and is posted on both sites.

Thanks to an acquaintance, Jane Grafton, I recently read two opposing views on the subject of federal government regulations of privacy:

An LA Times article, Privacy and the Web, concluded:

Although Washington shouldn’t try to micromanage the Net, it should make clear that websites have a duty to help users manage their personal information effectively, giving them the chance to understand the tradeoffs they’re making and to choose wisely.

Phil Lieberman of Lieberman Software responded in his post, “Internet Privacy Is No Place for Government Regulations”:

Attempts by the federal government to constrain the collection of data, and the ability to tailor offers based on this data, is a case of the government meddling in areas where it has no place.  Interference with the free market serves only to punish those companies that know how to efficiently mine their data and so is the worst form of government interference with the free market.

I’m all for privacy and opt-in/opt-out options. However I feel it does little good to cripple those companies who are good at business for the purpose of expanding the nanny-state. Any decision to overreach with privacy controls will also provide a bounty for greedy and litigious attorneys looking for fresh kills on the Internet.

What do you think? 

Although the LA Times article mildly asks the federal government not to “micromanage the Net,” history has that government has the propensity to always micromanage everything it touches.  How’s that for a cynical view?

If I believe the most effective way to deal with this issue would be for private industry to self-regulate. In much the same that PCI DSS has become an effective industry-driven regulation of the credit card industry, perhaps we need an “Online Privacy Standard” developed and enforced by the online industry itself. 

Otherwise, if such industry self-regulation doesn’t happen, given the current mood in Congress, I think federal government regulation of online privacy is a foregone conclusion (more cynicism).