Wednesday, June 29, 2005
A recent compromising of data related to 40 million credit cards last week dwarfs other data breaches reported this year, yet the security lapse at CardSystems Solutions was avoidable. Public officials exploring ways to respond and stave this year's alarming hemorrhage of personal data need to shift focus away from consumers' privacy. The real "consumer's right" is data security, which legislation must strive to ensure.
Companies have no incentives, negative or positive, to protect our data. They operate with little mind for security because little punishment befalls them should breaches occur. Public embarrassment, such as what we saw with ChoicePoint, goes only so far to halt the bloodletting.
MasterCard, with 13.9 million cards affected by the CardSolutions breach reported on June 17, posted a press release the same day detailing protections available to customers. A June 20 New York Times article (link is to an archive excerpt) by Eric Dash quoted CardSolutions' chief admitting that the company should not have been keeping the information lost to thieves.
Reckless industry policies for handling sensitive information have set the stage for a massive security breach like the one at CardSolutions. I'm surprised this sort of thing didn't happen sooner. Identity thieves prey on easy targets. Complacency works in their favor. They gravitate to shoddy security and exploit lapses in judgment. Consumers enjoy some protections after a theft has occurred, but these are small comforts to victims, who must endure hassles unimaginable to the uninitiated.
The results of a Cyber Security Industry Alliance study, reported last week in ComputerWorld and elsewhere, indicated 97 percent of 1,003 of likely voters think identity theft is a "serious problem." Of respondents to the study, 71 percent "said new laws are necessary to protect consumer privacy on the Internet."
We hear a lot about how identity theft threatens privacy. Consumers want privacy, and politicians know this. Yet the charge is a misnomer. Privacy went the way of the dinosaur many years ago.
Last week, just as news organizations began widely reporting the CardSolutions breach, U.S. Senators jockeyed for the public's attention in efforts to advance competing identity theft bills. The same ComputerWorld article reporting last week's research findings quoted members of Congress, such as Sen. Bill Nelson (D-Fla.), warning that identity theft threatens Americans' privacy.
Politicians and consumer advocates who decry the loss of privacy in the wake of massive identity thefts raise a moot point. The issue driving the identity theft debate should be security. If politicians want to take action on consumer rights, they should pursue legislation speaking to consumers' obvious right to ironclad security that protects personal financial data from those who seek to gain access to it illegally.
Sen. Conrad Burns (R-Mont.) called for required government licensing of all data brokers. A bill proposed by Sen. Charles Schumer (D-NY) and Sen. Nelson looked at recourse such as expanding the Federal Trade Commission to combat rogue, irresponsible data brokers that lose information to thieves.
Other measures would pass a federal law much like California's SB1386, which requires companies and state agencies to inform Californians of any security breach potentially threatening the identities of 500,000 or more people; such a federal law, many insisted, must not supersede tougher state laws.
Susceptible data calls for the armored vehicle's high-tech counterpart. These kinds of breaches are becoming commonplace. The industry storing our information is largely unregulated yet must be closely monitored. The situation is unacceptable, but the only way to turn things around is to pay attention and to start handling people's personal financial data in the same way we handle greenbacks.