Will the October Cyber Attack on Adobe Systems Prompt a Change in Vendor Consumer Responsibilities?
On October 3, 2013, Brad Arkin, Chief Security Officer of Adobe® posted an Important Customer Security Announcement. This post included a summary of a successful attempt by a malicious entity (individual, team or organization) to compromise the security of Adobe’s websites. The attackers made off with application source code for a number of Adobe products.
They also made off with “. . . customer information . . . ” This information included ” . . . customer names, encrypted credit or debit card numbers, expiration dates, and other information . . . “. In response, Mr. Arkin noted, Adobe will take steps, including ” . . . notifying customers whose credit or debit card information [Adobe] believe[s] to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.”
The last item on this list, “the option of enrolling in a one-year complimentary credit monitoring membership where available”, in my opinion, may be a subtle, but nonetheless very important sign of something I’ve written about in the past with regards to cyber security, and the respective responsibilities of vendors and consumers. My argument has been that as the frequency and severity of these attacks increase, the ultimate responsibility for any losses will eventually shift to the consumer from the vendor.
Is it safe to surmise from this point that the consumer is going to feel the burden of any financial pain that may unfortunately result from this attack? Certainly Adobe will incur the expense of monitoring credit for a year, but there is no mention of Adobe compensating these consumers for any losses that may result from this attack.
I find further support for at least requesting further specificity from Adobe on these points with Mr. Arkin’s next declaration: “We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.” Just what does Adobe mean by “help protect customers’ accounts.”?
The repercussions of all of this, at some point, will likely diminish consumer and business appetite for cloud, SaaS offers. Thoughts?
© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved