Keeper of the Keys
More than 145,000 consumers nationwide were placed at risk by a data theft at database giant ChoicePoint. Criminals tricked the company by posing as legitimate businesses to gain access to the various ChoicePoint databases, which contain a treasure trove of consumer data, including names, addresses, Social Security numbers, credit reports, and other information. At least 50 suspicious accounts had been opened in the name of nonexistent debt collectors, insurance agencies, and other companies, according to the company.
Without a doubt, databases are one of the most important IT tools that organizations use today. Databases contain large repositories of detailed data. When a transaction occurs, a sale, for example, a database stores every detail of the transaction including customer name, customer address, credit card number, products purchased, discounts received, and so on.
Organizations must carefully manage their databases. This management function includes properly organizing the information in these repositories in the most efficient way, ensuring that no erroneous information ever enters the databases, and-most important-protecting the information from thieves and hackers.
Information is a valuable commodity, and, sadly, this makes it a target for theft. Organizations store large amounts of customer information including Social Security numbers, credit card numbers, and bank account numbers-just think of the information stored at eBay, Amazon, or the IRS. When someone steals personal information (not necessarily by taking it from the person, but rather stealing it from a company), that person becomes a victim of identity theft. Consider this short list of organizations that have lost information and the huge numbers of customers affected.
Bank of America: 1.2 million customers.
CardSystems: 40 million customers.
Citigroup: 3.9 million customers.
DSW Shoe Warehouse: 1.4 million customers.
TJX Companies: 45.6 million customers.
Wachovia: 676,000 customers.
Adding up the numbers, more than 90 million people had their personal information either stolen or lost through organizations.
Business Accountability in Data Security
Companies may soon face stiff penalties for wayward data security practices. Massachusetts is considering legislation that would require companies to pay for any costs associated with a data breach of their IT systems. This move to protect customer data in Massachusetts comes at a fitting time, as two prominent retailers in the area, TJX Companies and Stop Shop, wrestle with the aftermath of significant breaches that have exposed some of their customers to fraud.
Much of the expense associated with stopping fraudulent activity, such as canceling or reissuing credit or debit cards, stopping payment, and refunding customers, has been absorbed by the banks issuing credit or debit cards to the victims. The merchant banks that allow businesses such as TJX and Stop Shop stores to accept credit and debit card transactions are penalized with fines from Visa, MasterCard, and other credit card organizations if the merchants they work with are found to violate the payment card industry's data security standards.
But the businesses that have had customer data stolen have largely suffered only from the costs to offer customers free credit-monitoring services and to repair a tarnished public image. In the case of popular retailers, this tarnish is easily polished away when juicy sales incentives are offered to get customers back.
Massachusetts House Bill 213, sponsored by Rep. Michael Costello, proposes to amend the Commonwealth's general laws to include a section that would require any corporation or other commercial entity whose sensitive customer information is stolen to notify customers about the data breach and also make companies liable to card-issuing banks for the costs those banks incur because of the breach and any subsequent fraudulent activity. This would include making businesses cover the costs to cancel or reissue cards, stop payments or block transactions with respect to any such account, open or reopen an account, and issue any refund or credit made to any customer of the bank as a result of unauthorized transactions.
The Massachusetts legislation is a key step in compelling companies to invest in better data security. Passage of this bill would put Massachusetts ahead of other states in terms of protecting customer data and spreading out the penalties so that both financial institutions and retailers have incentives to improve security. Security vendors are likely to be watching Massachusetts very closely, because the bill also would create an urgent need for companies doing business in that state to invest in ways to improve their ability to protect customer data. If the companies will not do this on their own, then holding them accountable for their customers' financial losses may be just what is needed to stop the next data breach from occurring.
How many organizations have your personal information, including your Social Security number, bank account numbers, and credit card numbers