Disclosure or Protection?

Last week, I wrote this article about the recent data losses.

Now comes this class action lawsuit around the most recent incident.

The suit is about a very interesting argument:

The Card Companies are arguing that they'll notify people their accounts have been compromised if fraud is committed on those accounts. Further, they argue, their fraud protection technology and "zero-liability" policies around credit card fraud mean that they shouldn't need to disclose an account breach until fraud occurs.

The class action suit claims that ALL account holders that may have been exposed to a breach should be notified - whether fraud has occurred or not.

The distinction here is important: Until this point, US law has defaulted to the idea that the individual does NOT own the information a company possesses about them (via interaction), but they do have rights of control over that information. UK laws are quite the opposite (they emphasize ownership).

This argument is actually an argument around the *control* aspect: do I, as an individual, control my account to the extent that I can demand to know whether or not a potential breach has occurred? Or do I not control it that much?