Data Processors Intl Hack: Oh, Did We Forget to Mention That?

Right now, companies can, and usually do, avoid telling customers if their credit card numbers or other personal information has been stolen. Lawmakers in California have decided that should change. It's about time.

. What's this?

By

March 14, 2003CSO — Last month, Visa, MasterCard, American Express and Discover all confirmed that hackers had accessed more than 8 million credit card numbers from a database held by Data Processors International, an Omaha-based company that processes credit card transactions for merchants. By one tally, almost 1 percent of all the Visa and MasterCard numbers in American wallets were compromised.

But if you're waiting for your card issuer to say whether you're one of the unlucky losers, you might as well start breathing again. You'll probably never find out.

A few small card issuers, notably Citizens Financial Group and PNC Bank, have started notifying their customers and issuing replacement cards. But they are the exception. Most companies have opted instead to avoid the bad publicity and $35 it costs (by Gartner's estimates) to replace a single stolen credit card.

Their defense for this laissez-faire approach? First, there haven't been any confirmed cases of these particular card numbers being misused. Second, zero-liability policies—customers themselves aren't personally accountable for fraudulent charges—are sufficient protection.

This is a poor excuse, a little like a stockbroker not warning customers of investment risks because the investor hasn't lost any money yet. Stolen card numbers need time to wend their way through the black market and into the hands of someone who actually uses the card. Compounding this, identity theft, which is easy to launch with a name and credit card number, takes a long time to pinpoint—and months or even years to fix, regardless of zero-liability protection. (In all fairness, Data Processors asserts that only credit card numbers, and not names, were accessed by hackers. This would be unusual, to say the least.)

All of which makes California law SB 1386, passed last autumn to protect residents against identity theft, especially prescient. For shorthand purposes, let's just call it the "Duh Law." The idea of the Duh Law is to give customers who've had personal information compromised a chance to start keeping an eye on their credit reports. Starting July 1, if the name of a California resident, along with either driver's license number, Social Security number, or credit card or banking information, is disclosed in a security breach, the business or organization (no matter its home state) is legally obligated to notify the customer.

Say it with me now: Well, duh. The law may be groundbreaking, but it also seems patently obvious. Doesn't it?

"You would think so, but this is the first time there is a law on the books that's forcing companies to proactively inform customers," says Avivah Litan, vice president and research director at Gartner Research, who co-authored a forthcoming report about the risks of stolen credit cards. "The laws are just going to have to catch up with reality."

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER