Following the Epsilon breach in April, consumers became more aware of third parties managing personal consumer information, as it affected huge companies such as Target, Walgreens and Best Buy.  Many companies, including small mom and pop outfits, outsource functions, such as data storage and marketing, so they can concentrate on what they do best (even if it’s just managing retail sales).  Businesses love automated programs that help ease the burden of time consuming marketing tasks, but what they don’t realize is that any time a third party company has access to customer data, sensitive information could be at risk.  Hackers don’t just look to target single company databases anymore, as we might think.  They have gotten a lot smarter.  Why hit a single company when they can hit a conglomerate who manages large amounts of data for other companies?  Epsilon manages email marketing for roughly 2,500 clients.  Even if the hackers were able to obtain just email addresses, that information can be used for phishing to obtain more sensitive data.  What about old databases that have not been scrubbed?  Data sources on the Sony PlayStation Network breach stated that the initial breached information, affecting 77 million accounts, was contained in an outdated database.

Hackers don’t just look to target single company databases anymore…

PCI security guidelines, as well as credit card associations, stipulate rules and regulations for how sensitive data (i.e. credit and debit card numbers) is to be stored, not stored, encrypted, etc.  However, even the breach of non-sensitive customer data (email and mailing addresses) can foray into consumers voluntarily giving away their sensitive information and thereby becoming victims of fraud.

Customer data sharing adds more fuel to the fire.  While customer data storage practices might change, customer data sharing will not be going away – likely ever.  Data sharing amongst financial institutions and creditors is very common and recent privacy notices now communicate this information more clearly, telling card holders what data sharing they can and cannot limit.  Even if an account is closed, the consumer’s information remains available for at least seven years.

Cloud computing, as we can see being pushed by Google and Microsoft, is a contributing factor as well.  Using a web-based service to store personal data of customers may be convenient, but it also puts that data at risk.  Underneath it all is the need for consumers to share their basic sensitive data, such as credit card and social security numbers, to live and function in our world today.  It is very rare that someone uses only cash, doesn’t have a bank account or hasn’t provided at least their social security number for some purpose or another.

Additionally, breaches don’t just come from people accessing data through the internet or insecure firewalls.  Data being transferred on portable devices, printed material stored in insecure locations, disgruntled employees who have access to personal and/or secure data (even if it is names and email -addresses)  and personal information that is discarded without being shredded first can all be a target for fraud.

In addition to engaging practices to protect customer data, every business can learn from how affected businesses have responded to recent highly publicized data breaches.  Some followed up rather quickly with communication regarding the exposure and warned their customers of phishing emails and phone calls.  Financial institutions, such as WFNNB, which many merchants use as a credit card provider, issued new cards to their customers.  Sony took a more severe approach and has announced that their network will not be up and running again until the end of May.

The one good thing about these data breaches is the development of the next generation encryption technology.  Unfortunately, it will likely continue to be a cat and mouse game.  As far as best business practices, no matter what businesses do to protect customer data, those who communicate their privacy practices clearly and take precautions immediately following a breach (even if it did not affect them) will certainly keep more customers than lose them.

On a side note, if you want to read more about all the breaches that are reported, check out the Privacy Rights Clearinghouse chronology.  You just might be surprised.

Measures to protect consumers today involve both regulation and legislation.  There is a big difference between the two.  Right now, regulations exist regarding data security and breaches, but those regulations come from entities such as the card companies, industry associations, and councils (i.e., PCI Data Security Council – PCI DSC).  While some states have passed data breach notification laws, current federal legislation regarding data security only affects financial institutions, consumer reporting agencies, and data security procedures.

As the U.S. consumer protection agency, the FTC enforces several laws and rules regarding data security, but none so far have targeted data breach notification.  According to the FTC testimonial, the following legislation exists:

• The Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act (“GLB Act”) provides data security requirements for financial institutions.
• The Fair Credit Reporting Act (“FCRA”) requires consumer reporting agencies to use reasonable procedures to ensure that the entities to which they disclose sensitive consumer information have a permissible purpose for receiving that information, and imposes safe disposal obligations on entities that maintain consumer report information.
• The Commission also enforces the FTC Act’s proscription against unfair or deceptive acts or practices in cases where a business makes false or misleading claims about its data security procedures, or where its failure to employ reasonable security measures causes or is likely to cause substantial consumer injury.

In line with other new consumer protection laws being instituted, data security legislation has been proposed requiring companies to adhere to certain data security policies.  The bill, also known as the Data Security and Breach Notification Act of 2010, S.3742, was introduced in August by Senators Mark Pryor (D-AR) and Jay Rockefeller (D- WV).  (Rockefeller, chairman of the committee on Commerce, Science, and Transportation was behind the post transaction marketing investigation, which was discussed in a previous blog last year.)  Last month, the FTC testified to a Senate Subcommittee on Consumer Protection, Product Safety, and Insurance that it supports the proposed legislation.  The subcommittee also heard testimony from Symantec CTO Mark Bregman and Maneesha Mithal, Associate Director of the Division of Privacy and Identity Protection at the FTC, who outlined three items the FTC would like to see included in the legislation:

• The provision that requires companies to notify consumers in the event of a data breach should not be limited to electronic information
• The proposed requirements should be extended to telephone companies
• The bill should grant the FTC rulemaking authority to determine the circumstances under which providing free credit reports and monitoring may be required

Companies who handle consumer data are guided against storing sensitive data, from a multitude of associations, agencies, and councils, such as the PCI DSC.  Violations to data security regulations usually result in financial penalties or fines from those entities, with not much automatic legal recourse.  However, since 2001, the FTC has been able to use its authority to bring 29 cases against companies who failed to protect consumer data.

Having business experience in the card and electronic payment industry makes those of us more aware of data security practices on a daily basis in places where we do business.  The FTC and consumer advocacy groups are doing a great job of providing consumers with information on various ways to protect their information.  It’s unfortunate that consumers are becoming more informed and businesses are learning lessons as a result of incidents, such as major fraud cases or class action lawsuits, instead of being more proactive about data security.  The FTC is trying to change that.

No matter what legislation or regulations are put into place, even if they are enforced, consumers still need to be vigilant about their own personal data security.  The new laws are being put into place because companies handling sensitive consumer data are not holding up their end of the bargain.

Other References

FTC Bureau of Consumer Protection

State Security Breach Notification Laws