Podcast: Play in new window | Download

Like a lot of you, this week I received several messages telling me my e-mail address had been stolen from a company called Epsilon that provides mass e-mail services to many giant corporations. At the end of this post you’ll find what I believe is the latest list of companies affected. I have heard from four of these companies so far — Best Buy, Chase, Hilton, and Ritz-Carlton, which is interesting because I don’t recall having even stayed at a Ritz-Carlton. From a look at the master list below I’m surprised I haven’t yet heard from Verizon, where I am also a customer. The point of this post isn’t just to print a list of Epsilon customers, but to say how screwed-up and perilous this event is for everyone involved including you and me. Heads should be rolling and there is no evidence yet that they are.

Epsilon, which has millions of consumer e-mail addresses and associated names, was hacked, losing some unstated number of customer files probably numbering in the millions. The affected companies have sent very earnest messages notifying us, expressing hopes that the damage is limited, but urging us to be on the lookout for bad guys messing with our ID’s. What they aren’t saying yet is this: “Epsilon screwed-up so we’re firing their sorry asses and suing them back to the stone age. ”

If Epsilon made such a huge mistake they should be punished. If they are being punished we, as the truly affected parties, should be told that is the case. Better, still, we should be compensated for our inconvenience. This is not business as usual. This is a huge steaming mess. Polite e-mail messages that say almost nothing are not an adequate response.

Here’s why I feel this way and you should too:

This stolen data will be used is for phishing attacks, which is what the companies are warning us to be on the look for. There will be such attacks and telling us to be on our guard won’t stop them from being successful to some degree. It is in my view a woefully inadequate response. Remember these bad guys have a lot of data on us — the name of the company with which we are doing business, our names (in most cases), and our e-mail addresses.

No matter what spin the companies put on it this is huge. Consumers will be compromised and losses in the millions — maybe tens of millions — will be incurred. And I don’t care if the banks say they’ll cover the losses, that never happens gracefully, at least not for me.

People who opted-out with these companies were also exposed. So it isn’t just customers but also former customers and non-customers whose information was stolen. What is the legal exposure there? It’s an issue I haven’t seen discussed anywhere.

What if the bad guys start sending mail to the opt-out people (you know they will) and by doing so cause the affected companies to violate the CAN-Spam Act of 2003? That can cost $16,000 per violation.

But hey, this is a case of simple theft and Hilton can’t be held responsible, can it? It isn’t clear.

Here’s what the Federal Trade Commission says: “The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible. ”

That’s a giant class action lawsuit just waiting to be filed.

But wait, there’s more! Any company that accepts credit cards can be subject to a security audit. Will these companies listed below pass their next such audit? On the face of it they shouldn’t because their systems have been compromised. Blaming Epsilon doesn’t change that because, as in the FTC example above, the companies can’t simply delegate responsibility. And I sincerely doubt that Epsilon or its parent, Alliance Data Systems, is in a financial position to indemnify all those companies.

Again you might say this is an over-reaction on my part, that cooler heads will prevail. Maybe so, but the ugly truth here that isn’t being addressed is that some — maybe many — of these companies could be hiding a multitude of security sins that would come to light in such an audit. Do they really want to let anyone who knows what they are doing have a close look at systems that may be antiquated or even non-existent?

If this Epsilon mess causes a rash of credit card claims and chargebacks that trigger automatic security audits, then even if the Epsilon event itself is explained-away a lot of these companies will still be in trouble.

The worst part of all, though, is that nobody in this mess is on our side, nobody. Apparently we’re not too big to fail.

Here is what I understand to be the current list of affected companies:

1800-Flowers

Abe Books

Air Miles CA

Ameriprise Financial

Barclays Bank of Delaware

Beachbody

Bebe Stores Inc.

Benefit Cosmetics

BestBuy

Brookstone

Capital One

Charter Communications

Chase

Citibank

City Market

The College Board

Crucial.com

Dell Australia

Dillons

Disney Vacations

Eurosport/Soccer.com

Eddie Bauer

Food 4 Less

Fred Meyer

Fry’s

Hilton Honors

The Home Shopping Network

Jay C

JP Morgan Chase

King Soopers

Kroger

LL Bean

Marks & Spencer (UK)

Marriott Rewards

McKinsey Quarterly

Moneygram

New York & Co.

QFC

Ralphs

Red Roof Inns Inc.

Ritz Carlton

Robert Half

Smith Brands

Target

TD Ameritrade

TIAA-CREF

TiVO

US Bank

Verizon

Viking River Cruises

Walgreens

World Financial Network National Bank

Podcast: Play in new window | Download

The U.S. Federal Trade Commission this week announced rules for bloggers who take money and various other forms of booty in exchange for reviewing products. Somehow I missed this business of selling one’s soul. But I think it is a good idea to take a moment and be straight with my readers about the limits of my journalistic ethics in this space.

I don’t take money for reviewing products because I don’t review products.  Never have, never will. So don’t send me any products, okay?

Publishers send me early copies of a few books per year, generally hoping I’ll either provide a quote for the book jacket or write a positive column about it.  I do accept such books but rarely write about them. If I give a quote it is never for money, mainly because I didn’t think anyone would pay. I was probably right about that.

I once sent a book of mine to Joe Bob Briggs only to have him give it away on his web site.  Tacky.

While it is true that I write for money, in the case of this page the only money comes from those ads you haven’t been clicking on.  I have no idea what those ads will be, by the way. They are served automatically by IDG Technet, which sends me each month a check that is pitifully smaller than I was led to believe it would be.

If you want to suggest a topic to me and accompany that suggestion with a gift or a check, it pretty much guarantees I won’t write about what you want me to. This is all part of my reverse psychology plan to get Microsoft to pay me $1 million to never write anything about them again.  So far that strategy is not working.

Bear Stearns (remember them?) once offered me money to participate in a conference call with their customers.  I had done such a call before for free to talk about my Google shipping container data center column but felt too much like a talking dog and didn’t want to do it again.  So they offered money.  I said “no.”  And of course Bear Stearns is now dead.  So be careful what you ask of me.

I write for other publications like the New York Times and they pay me, but so far that pay is not from vendors except in the case of Perforce Software, where I write a column for their company newsletter. But I’ve never written about Perforce here.  Until now that is. Does that mean the FTC will now arrest me specifically because of this disclosure? Sounds like a Star Trek episode.

Most of my income actually comes from giving speeches and participating in events like brainstorming sessions, many of which happen at companies I have written about.  Often I learn things at these events that are worth writing about, though strictly within the bounds of whatever non-disclosure agreement I’ve signed (violate NDA = wife takes kids and leaves).  So in this sense I do take money from companies I might write about.  But the companies never give me money specifically to write (except for Perforce, above) and they often don’t like at all what I end up writing. Screw ‘em.

The FTC rules say nothing about giving speeches or selling one-page screenplays for $2 million.  If they expand the rules in that direction, of course, I may yet be in trouble.

In that case there’s always pizza delivery.