more on LAST TIME I USE HOTELS.COM djf Ernst & Young laptop loss exposes 243,000 Hotels.com customers

[David Farber <dave () farber net>]

Begin forwarded message:

From: Phil Kos <PhilK () quardev com>
Date: June 2, 2006 8:08:36 PM EDT
To: David Farber <dave () farber net>
Cc: Bill Stewart <bill.stewart () pobox com>
Subject: Re: [IP] more on LAST TIME I USE HOTELS.COM djf Ernst &  
Young laptop loss exposes 243,000 Hotels.com customers

This is a difficult issue that affects all of us to some extent, and  
does not seem to have any simple solution -- if it has any solution  
at all.

Dr. Farber, you gave your information to Hotels.com.  Presumably,  
they had assured you they would protect it, or you wouldn't have done  
so.  And presumably their assurances included (boilerplate)  
statements to the effect that, while they would feel free to share  
your information with partners if necessary for business purposes,  
any such partners would be required to provide equal protection for  
your information.

So what do YOU do in a situation like this, where the partner (in  
this case E&Y) fails to live up to the bargain they made with  
Hotels.com?  You have no contractual relationship with E&Y, so you  
can't expect any satisfaction from them.  I suppose you could try to  
hold Hotels.com responsible, but they'll just skate based on the fact  
that they followed "industry best practices" by "requiring"  
protection from E&Y, so they've satisfied any obligation they had to  
you.

It might be satisfying to merely stop dealing with Hotels.com as you  
stated, but real damage has been done; so I wouldn't feel that it was  
sufficient.  And it's also problematic, because all companies are  
vulnerable to such breaches by their partners, and all companies have  
partnerships like this; so it's not like there are any real  
alternatives.

To me, the problem seems to be that we are frequently forced to agree  
to these transitive trust relationships without any corresponding  
reverse transitive responsibility.  When we trust a company we're  
explicitly doing business with, we implicitly trust the partners they  
explicitly do business with, yet we ourselves have no leverage over  
those companies.  I find this not only unsatisfying, but downright  
disturbing -- to the extent that I choose not to participate in many  
commercial activities because of it, and only rarely give out  
personal information to anyone, for anything (usually only when  
required by law, or necessary to obtain critical services).

I had to get a new credit card two years ago because a processing  
company used by my travel agency managed to lose a huge pile of  
credit card numbers.  There was no satisfaction I could possibly get  
from the processing company.  I have not used the travel agency since  
then, but that was not intended to be punitive: I never felt that  
there was anything I could possibly do that would prevent such a  
thing from occurring again in the future, including using a different  
travel agent, so there didn't seem to be any point.

I would like to hear what you end up doing in this situation, whether  
it satisfies you, and whether it seems to have any other positive  
effect.  As I said earlier, this is a difficult problem; and I'm not  
sure there is any satisfactory solution.

Mr. Stewart makes an interesting point (if I read him correctly) --  
that the fault is truly E&Y's, but because of consolidation in their  
industry, there are virtually no alternatives to E&Y, so Hotels.com  
is essentially helpless to improve the situation, and punitive  
actions against them are therefore misguided.  However, this is  
perhaps the most deeply unsatisfying piece of the whole puzzle.  Can  
this really be as good as it gets?  If so, why do we trust any of  
these companies with ANYTHING?  Are we all really at the mercy of the  
weakest links, with no hope for improvement?


Despondently,


Phil Kos
Issaquah, WA



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/