Whoops! My bad.

With regards to advising merchants which law to follow, you can't simply tell the to follow the "strongest".

First off, it might not be easy to tell which law is "strongest". For example, State A may require persons to be called by telephone, while State B may require notification by mail. Which one is stronger? What if you don't have the customer's phone number or address, or have an outdated phone number or address?

Secondly, the various state laws may be contradictory. For example, one state may be OK calling whatever number you have on file for the customer, while another may make it punishable to divulge financial information to anyone other than the customer.

Issue like this is why the founding fathers wrote the Interstate Commerce Clause. There really should be Federal legislation on this.

I nearly panicked when I first read this post, but according to the linked article the breach only affected Network Solutions customers who have e-commerce sites hosted by the company.

I registered a few domains through them before discovering less expensive alternatives, but as a current Network Solutions account holder, this still makes me nervous. (What other servers aren't they protecting?)

@Crim Law Geek:
I think the question with that would be if you go to notify a customer and have outdated information, who's responsibility is it to keep that information up to date? How would that hold up in court if they say they tried to call but could only produce old numbers / addresses?

@Crim Law Geek: Or something issued by the Conference of Commissioners on Uniform State Laws. That will maintain the federal system while providing some uniformity.

Heck, I got off of NetSol the minute ICANN opened up the domains. That was nearly a decade ago. I don't feel a lot of pity for anyone who deals with NS. In fact, I resent them for keeping that ripoff joint in business all these years.

Yet somehow NS always knew how to find me when it was time to renew my (overpriced) payment.

I switched my parked domain name to godaddy.com two weeks ago. NS sent me confirmation that they'd erased my information. I sure hope they did.

Great, I guess I'll have to watch out for some BS charges now as I'm almost positive I've done business with a company that uses NS.

Network Solutions also is offering to pay for 12 months of credit monitoring service through TransUnion for each consumer whose financial and personal data were compromised.

Wait, informing people is a "burden" but paying ($15*12)*573,000 (==$103M) isn't?

I'm glad I moved all my domain regs off of NSI years ago.

@H3ion: Most states copy the California security breach model, which is the most consumer friendly one out there. NCSL has a breakdown of the breach laws. [www.ncsl.org]

@howie_in_az: i really doubt they'll have to pay retail for such a bulk purchase.

Even when companies notify about data breaches it's probably too late.

I got a letter a few months ago from batteries.com that their server had been compromised and that a bunch of their customer's cards had been used fraudulently.

It was a little late, though, since 2 weeks earlier I had gotten a call from Amex asking me if I'd charged $2500 worth of Air France tickets and $1500 on Northwestern to my Blue Cash. I hate flying and am not a huge fan of France, so, no.

I think you're completely misinterpreting what they said. They're not complaining about the burden of notifying their customers. They're apologizing for the burden that their customers (merchants) will bear, which is to notify their customers (a burden that Network Solutions is willing to assume).

This is the kind of mistake you make when you look for the negative in everything. And you didn't even have to look for a negative angle with this story, the data breach is bad enough.

@Cant_stop_the_rock: ditto

Is there something better than a golden poo medal? These guys get it. My gosh, ever since they were spun off/out. Sleazebags, the lot of them.

Worst.registrar.ever.

@krom: amen. amen. amen.

did I say amen?

I love my web host company usm hosting....AWESOME! It's still a small to medium company so I still get that great customer service...and NO BREACHES!
Network Solutions should get a golden poo..along with a regular poo.

Side note, man Beans is one GOOD LOOKING dog! :)

@zentex: Yes. Yes you did.

@Crim Law Geek:

It is sound advice. The "strictest" law method is fine. You're missing the point, the company feels it's a burden to let people know their accounts have been compromised.

If a company attempts to follow the strictest state law in existence they are showing a good faith effort at protecting their customers. The "old phone number or bad address" issue is irrelevant. It is the consumers job to keep their info up-to-date, if you moved but didn't tell anyone then I guess you'll never know why money keeps disappearing from your account.

Also the Commerce clause is great and all but the reason why there isn't a strong Federal law is that MOST states prefer tailoring laws to their own needs. In other words people in a small state probably feel that California's law may not suit them for whatever reason. Also MOST states certainly don't want Congress pushing a Federal law that could heavily influenced by lobbyists from another state.

@joshmayfield: It may be the case that the servers for e-commerce are inherently less secure due to the extra applications they have to deal with to service all the third party stuff. And it may be that the break happened through an exposure only open to those e-commerce clients themselves, through one that itself got infected some way (like running Windows).

I work for Network Solutions and we would like to clear something up regarding this post. The point is that our customer base is made up of small businesses and they (not us) would take the brunt of the burden if we did not offer free of charge a notification service for them to notify customers on their behalf. State laws generally require the merchant to notify customers. Therefore our service is set up to directly address and relieve that burden on our customers. If you would like to see more information and the discussion our affected merchants are having on the issue please visit careandprotect.com.

@krom: I wish I had kept a transcript of a phone call I had with them while trying to get a client's domain name transferred away.

The rep's whole argument about why I shouldn't transfer was that Network Solutions has a web site -- you know, for service! Because you can maintain your own account on the web site! It's really easy! (Nobody else apparently has this.) It's so amazing it's totally worth paying 4 times what you could pay elsewhere but with 5% the storage and transfer limits! (Who needs all that pesky storage space anyway?) This was about 3 years ago.

Oh, and the rep said they have "GREAT service" (You know, like spending 20 minutes trying to aggravate someone into not transferring their account).

I finally had to resort to just saying "release the domain name now, please" every time they said anything until they realized I wasn't going to back down, and even then they kept trying while they were supposedly "accessing account information -- this might take a second" until I asked for a supervisor. All told it took around 2 weeks and several followup calls and e-mails before I was able to actually transfer the domain.

AMEN AMEN AMEN, AMEN!

@Cant_stop_the_rock: The same reporter wrote another item on this that's even more clear:

"Due to the potential high cost of notifying individual victims, the hosting company is offering to handle the notification of affected customers of the breached online stores."

As I read that, they're doing more than apologizing for the burden. They're trying to take up the burden themselves.

Good point, there should be a strong federal statute about data breaches. Its purpose should be to encourage companies to do everything possible to ensure the highest security of customers' data. Perhaps something simple like:

In the event of a data breach, all customers whose data may have been stolen must be informed within 48 hours and must be issued a payment or credit of $100.

Network Solutions, and companies like it, will choose to secure their customers' data because the $50,000,000 cost of not doing do is something they don't want to face.

Yeah. Life is tough. Somebody should offer them a cold glass of milk and a chocolate chip cookie. Pat them on the head. There, there, it's all better now.