Yesterday, following the Congressional hearing where Sony and Epsilon testified, we had a bit of a lively – if truncated – debate on Twitter about breach notification. Not surprisingly, George V. Hulme raised the issue of breach notice fatigue and how notifications should be confined to situations where there is some real risk.
Also not surprisingly, I disagreed with him, as did Douglas Davidson and Adam Shostack.
Deciding that this would take more than 140 characters, Adam cleverly blogged about the issue. You can read his commentary, How the Epsilon Breach Hurts Consumers on the New School of Information Security Blog.
As someone who also uses vendor-specific email addresses, I agree with Adam completely. And what really concerns me is that under existing laws, Epsilon’s clients were seemingly not obligated to notify us at all about the breach. We need to fix that. Maybe to prevent breach fatigue we need a tiered system like the color alert levels, but I do think consumers need to be notified so that they can make informed decisions.