Shostack + Friends Blog Archive


Chase Manhattan and Textual Interpretation

Ray Everett Church picks up on a story, “Shouldn’t The CardSystems Victims Be Notified?” from Ed Foster, showing that Chase Manhattan bank has failed to read the text of California’s SB 1386. Ed writes:

“Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or an account password be involved,” [a Chase spokesman] told me. “None of those things were accessed in this case.”

And now, the law:

(e) For purposes of this section, “personal information” means an
individual’s first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver’s license number or California Identification Card
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual’s financial account.

That seems remarkably clear to me. Many other states have similar laws, some of which have trap-doors such as “if the institution doesn’t think the consumer will be affected.” As I’ve commented before, the institution has just demonstrated their security competence, so why we’re letting them compound it is beyond me.

Must be a side effect of living in upside-down land, where the law is what we want it to be, not what the text clearly states.