• United States



sarah d_scalet
Senior Editor

Data Processors Intl Hack: Oh, Did We Forget to Mention That?

Mar 14, 20034 mins
Data and Information SecurityHacking

Right now, companies can, and usually do, avoid telling customers if their credit card numbers or other personal information has been stolen. Lawmakers in California have decided that should change. It's about time.

Last month, Visa, MasterCard, American Express and Discover all confirmed that hackers had accessed more than 8 million credit card numbers from a database held by Data Processors International, an Omaha-based company that processes credit card transactions for merchants. By one tally, almost 1 percent of all the Visa and MasterCard numbers in American wallets were compromised.

But if you’re waiting for your card issuer to say whether you’re one of the unlucky losers, you might as well start breathing again. You’ll probably never find out.

A few small card issuers, notably Citizens Financial Group and PNC Bank, have started notifying their customers and issuing replacement cards. But they are the exception. Most companies have opted instead to avoid the bad publicity and $35 it costs (by Gartner’s estimates) to replace a single stolen credit card.

Their defense for this laissez-faire approach? First, there haven’t been any confirmed cases of these particular card numbers being misused. Second, zero-liability policies—customers themselves aren’t personally accountable for fraudulent charges—are sufficient protection.

This is a poor excuse, a little like a stockbroker not warning customers of investment risks because the investor hasn’t lost any money yet. Stolen card numbers need time to wend their way through the black market and into the hands of someone who actually uses the card. Compounding this, identity theft, which is easy to launch with a name and credit card number, takes a long time to pinpoint—and months or even years to fix, regardless of zero-liability protection. (In all fairness, Data Processors asserts that only credit card numbers, and not names, were accessed by hackers. This would be unusual, to say the least.)

All of which makes California law SB 1386, passed last autumn to protect residents against identity theft, especially prescient. For shorthand purposes, let’s just call it the “Duh Law.” The idea of the Duh Law is to give customers who’ve had personal information compromised a chance to start keeping an eye on their credit reports. Starting July 1, if the name of a California resident, along with either driver’s license number, Social Security number, or credit card or banking information, is disclosed in a security breach, the business or organization (no matter its home state) is legally obligated to notify the customer.

Say it with me now: Well, duh. The law may be groundbreaking, but it also seems patently obvious. Doesn’t it?

“You would think so, but this is the first time there is a law on the books that’s forcing companies to proactively inform customers,” says Avivah Litan, vice president and research director at Gartner Research, who co-authored a forthcoming report about the risks of stolen credit cards. “The laws are just going to have to catch up with reality.”

The Duh Law isn’t without its loopholes. Encrypted databases are exempt, and there’s also a provision that delays notification that would hamper a criminal investigation. But state lawmakers wrote it with big numbers in mind. If more than 500,000 persons are affected or if notification would cost more than $250,000, the organization can opt to notify the media, post a notice on its website and launch an e-mail campaign rather than notify citizens individually through more official routes. That’s not the kind of effort any business wants to think about expending.

“Leave it to California,” Litan says. “They’re always the bellwether state for consumer rights.”

Meanwhile in Washington, Sen. Diane Feinstein (D.-Calif.) is busy with identity theft legislation of her own. She is in the process of introducing a package of four (count ’em, four) identity theft bills aimed to combat what the Federal Trade Commission considers the country’s fastest-growing white-collar crime. At this time, a spokesperson in Feinstein’s office said that none of the legislation includes a provision requiring companies to notify customers whose personal information has been breached. But her office is certainly aware of the California law, which is being eyed nervously by the credit card industry.

And so it seems that, finally, we may be entering the twilight of an era when companies could just zip their lips and cross their fingers when customers’ personal information was stolen. Someday, hopefully soon, it will be time to ‘fess up—or better yet, to keep the security breach from happening in the first place.

Well, duh.