

When Startups Don’t Lock the Doors - RougeFemme
http://www.nytimes.com/2014/03/03/technology/when-start-ups-dont-lock-the-doors.html?ref=technology&_r=0

======
BadassFractal
Don't remember last time a company got really hurt by leaking their customers'
emails, passwords or CC numbers. It's usually "oops, call your CC company and
change your number, sorry" and then the news is old when another company gets
the same treatment 2 days later.

~~~
objclxt
E-mails and passwords are one thing, credit card numbers are quite another.

Firstly, you're going to get sued. Some law-firm is going to figure out you're
a decent target, find someone aggrieved enough to be a lead plaintiff, and sue
you. Maybe the law-suit is baseless, but you're still going to have deal with
the expense and hassle of defending yourself. This is not cheap. The credit
card issuers will come after you to reimburse them for fraudulent activity
(because your merchant agreement almost certainly has a clause holding you
liable should you be responsible for a data breach). Oh, and now the payment
networks are insisting you provide a full PCI compliance audit, at your own
significant expense.

And whilst the Targets of this world typically have indemnity insurance that
covers this kind of thing, Joe Startup does not. So yes, the news cycle is
brief, and maybe the PR damage is minimal, but that's not what's going to hurt
you. What's going to hurt you is the pain and headache of wading through the
legal and financial crap-storm that's coming your way.

~~~
mathattack
As a customer, I might actually rather have someone get my credit card than a
password. The bank will find the credit card fraud quicker than a website
finding out my password has been compromised. And if someone gets an email
account's password, a lot of damage can be done.

