Web responsibility

as far as your question about just the possibility, i'm no lawyer, but it's my understanding that the law currently says that if there is a potential of personal information being exposed (even without evidence that someone took it), the person/company holding that information must immediately report the exposure to the user. even if they believe no one got in.

Some of that depends on who you are (private individual or company vs. publicly traded, etc.) There are new laws (Sarbanes-Oxley) that put a lot of regulations on what some companies are required to do.

Other than that, I would say that whoever is responsible for that leak should be held fully accountable for any damages that result. In most cases, that would be the company that owns the site; I can't imagine an individual (not affiliated with a company) having any reason to gather credit card info.

Of course, part of the puzzle (at least the way the law works now) is damages. If no one's info was actually stolen and used (as you suggested in the case of a potential vulnerability without proof of an exploit), then in most cases there would be no damages, so I don't think the consumers could go after the company for irresponsibly managing their info until they are hurt by it. I'm not saying I agree with that; I think there should be legal penalties with heavy fines for companies who are proven to have been negligent in handling customer information (not keeping up with patches and good security practices) whether or not any actual theft occurs.

Then you have the other side of the coin, where people who expose the vulnerabilities (often labeled "hackers") are held responsible not only for the hole (which the company, not the hacker, should absolutely be responsible for paying to fix) but also for all kinds of "theoretical" damages. In most hacker cases, they usually throw around enormous figures that represent the amount of money the attacker could have theoretically stolen if he had used all the information that was made available in the attack. They usually try to ignore the fact that in many cases the attacker never uses the available information at all, or if he does, it is on a much smaller scale than the inflated possible figure represents.

There is another horrible flaw in the legal system as it relates to this specific issue (damages and assessing the "seriousness" of the crime); often what happens is these inflated figures are brought out at the time of sentencing, not during the trial itself, and during sentencing there is a much lower standard of evidence, and the accused does not get to adequately refute the allegations that they "stole" that much money just because they had access to it.

In summary, it's probably obvious that I believe companies should bear a high degree of liability when an incident like this occurs. It is never an excuse to say that a known exploit can only happen in rare circumstances, etc. - it is still that company's responsibility to secure their data appropriately.

I'd go even farther and say that when a vulnerability is exposed (but not exploited), that it is the company who should face charges, not the person who exposes the vulnerability. If the vulnerability IS exploited, then there should be additional penalties for the person performing the exploit, but only according to any actual damages they cause (how much money is stolen, not how much could have been, and especially not how much it costs to fix the hole).