Cultivating Data Security: What's Real, What's Tail-Chasing

Customer Inter@ction Solutions, Oct 2005 by Schelmetic, Tracey E

It's been hard not to see evidence of the increasing tide of criminal data thefts lately. This year alone, CitiFinancial's data breach was announced in June, LexisNexis in April, and both Bank of America and ChoicePoint in February. These are only the highlights...there were many more, including banks, catalog companies and universities. Most organizations would like to avoid seeing their names in The Wall Street Journal under similar circumstances, but most of them are doing little more than crossing their fingers and hoping.

The problem is this: data security breaches can happen in many ways, so it's hard to know which tower to man the strongest. The ChoicePoint data breach occurred when criminals posing as legitimate customers asked to purchase, and were sold, the personal data of 145,000 people. (There was not, in this case, any hacking involved.)

Congress Wakes Up - Then Hits Snooze Button

The string of data breaches has drawn strong responses from both parties in Congress, though thus far there is little evidence that the many bills that have been drawn up are progressing to where they need to be: laws. As of the writing of this article, there were 22 bills in Congress dealing either directly or indirectly with identity theft. (One of these includes a rather odd bill, S.884, which was introduced to "conduct a study evaluating whether there are correlations between the commission of methamphetamine crimes and identify theft crimes.") Other bills that have been introduced address identity theft and anti-phishing, Social security number protection and customer notification of data breaches.

Part of the problem with data security legislation is in knowing where to start. Bruce Schneier, internationally renowned security technologist and author who has been described by The Economist as a "security guru," said legislators' efforts should focus on making companies accountable for data theft. "Make companies liable for leaking identity information," said Schneier. "Make companies liable for the effects of fraudulent transactions; that is, if a bank or credit card company accepts a fraudulent transaction in my name that is not made by me, they should be liable for the losses that incur because of that mistake."

When I asked Schneier whether it's possible that Congress is always two steps behind both technology and its potential abuses because the legislators do not understand the technologies well enough to get a grip on how to protect consumers, Schneier told me that it doesn't matter, and he laid the blame at a different door. "It has nothing to do with being savvy enough," he said. "Legislators and judges have staffers who understand technology. It's simply that there is too strong a lobby - it directly affects legislators and pays for litigators that affect judges - preventing any real solutions."

California, The Early-Warning Beacon

At the state level, California's SB 1386 is the only state data theft disclosure bill in existence. It mandates that companies which maintain databases of private information on consumers MUST notify those customers if their data are lost, hacked or exposed in any way. It's taken as conventional wisdom that, were it not for this California law, U.S. consumers would be none the wiser to the data breaches at ChoicePoint, LexisNexis, Acxiom, Bank of America and other companies, until those mysterious designer clothing purchases and tickets to Tahiti started showing up on their credit cards.

The problem is, during the damagecontrol proceedings initiated by these companies, they inadvertently did more damage to themselves. By telling customers, "Look, we won't sell your Social security numbers, drivers' license numbers and income details to anyone anymore," consumers didn't say, "Great!" They said, "Where did you get off selling that information in the first place?" The ugly reality is that few people were actually aware how much of their deeply personal information is bought and sold daily in Corporate America. Now that they know, they're becoming increasingly angry. The phrase "legislative backlash" continues to take place in discussions regarding what's on the horizon for data brokers or any company maintaining personal customer data in its system.

In March of this year, U.S. Senator. Charles E. Schumer (D-NY) released a statement hard on the heels of the disclosure that DSW, an Ohio-based shoe retailer, is currently undergoing an investigation into credit card fraud. Said Schumer, "ChoicePoint has become a rallying point for consumer advocates in the Congress to do something substantial about the weak national laws to protect Americans' privacy. These new incidents of identity theft through stolen credit card information at DSW, and through account fraud at LexisNexis, should force Congress to act soon to bolster our pitiful privacy protections for consumers." Among some of his top agenda items, Schumer counts protecting consumers from predatory loan offers and putting reigns on some of the excessive fees and interest rates many credit card companies regularly levy on consumers.