Following the Epsilon breach in April, consumers became more aware of third parties managing personal consumer information, as it affected huge companies such as Target, Walgreens and Best Buy.  Many companies, including small mom and pop outfits, outsource functions, such as data storage and marketing, so they can concentrate on what they do best (even if it’s just managing retail sales).  Businesses love automated programs that help ease the burden of time consuming marketing tasks, but what they don’t realize is that any time a third party company has access to customer data, sensitive information could be at risk.  Hackers don’t just look to target single company databases anymore, as we might think.  They have gotten a lot smarter.  Why hit a single company when they can hit a conglomerate who manages large amounts of data for other companies?  Epsilon manages email marketing for roughly 2,500 clients.  Even if the hackers were able to obtain just email addresses, that information can be used for phishing to obtain more sensitive data.  What about old databases that have not been scrubbed?  Data sources on the Sony PlayStation Network breach stated that the initial breached information, affecting 77 million accounts, was contained in an outdated database.

Hackers don’t just look to target single company databases anymore…

PCI security guidelines, as well as credit card associations, stipulate rules and regulations for how sensitive data (i.e. credit and debit card numbers) is to be stored, not stored, encrypted, etc.  However, even the breach of non-sensitive customer data (email and mailing addresses) can foray into consumers voluntarily giving away their sensitive information and thereby becoming victims of fraud.

Customer data sharing adds more fuel to the fire.  While customer data storage practices might change, customer data sharing will not be going away – likely ever.  Data sharing amongst financial institutions and creditors is very common and recent privacy notices now communicate this information more clearly, telling card holders what data sharing they can and cannot limit.  Even if an account is closed, the consumer’s information remains available for at least seven years.

Cloud computing, as we can see being pushed by Google and Microsoft, is a contributing factor as well.  Using a web-based service to store personal data of customers may be convenient, but it also puts that data at risk.  Underneath it all is the need for consumers to share their basic sensitive data, such as credit card and social security numbers, to live and function in our world today.  It is very rare that someone uses only cash, doesn’t have a bank account or hasn’t provided at least their social security number for some purpose or another.

Additionally, breaches don’t just come from people accessing data through the internet or insecure firewalls.  Data being transferred on portable devices, printed material stored in insecure locations, disgruntled employees who have access to personal and/or secure data (even if it is names and email -addresses)  and personal information that is discarded without being shredded first can all be a target for fraud.

In addition to engaging practices to protect customer data, every business can learn from how affected businesses have responded to recent highly publicized data breaches.  Some followed up rather quickly with communication regarding the exposure and warned their customers of phishing emails and phone calls.  Financial institutions, such as WFNNB, which many merchants use as a credit card provider, issued new cards to their customers.  Sony took a more severe approach and has announced that their network will not be up and running again until the end of May.

The one good thing about these data breaches is the development of the next generation encryption technology.  Unfortunately, it will likely continue to be a cat and mouse game.  As far as best business practices, no matter what businesses do to protect customer data, those who communicate their privacy practices clearly and take precautions immediately following a breach (even if it did not affect them) will certainly keep more customers than lose them.

On a side note, if you want to read more about all the breaches that are reported, check out the Privacy Rights Clearinghouse chronology.  You just might be surprised.

Measures to protect consumers today involve both regulation and legislation.  There is a big difference between the two.  Right now, regulations exist regarding data security and breaches, but those regulations come from entities such as the card companies, industry associations, and councils (i.e., PCI Data Security Council – PCI DSC).  While some states have passed data breach notification laws, current federal legislation regarding data security only affects financial institutions, consumer reporting agencies, and data security procedures.

As the U.S. consumer protection agency, the FTC enforces several laws and rules regarding data security, but none so far have targeted data breach notification.  According to the FTC testimonial, the following legislation exists:

• The Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act (“GLB Act”) provides data security requirements for financial institutions.
• The Fair Credit Reporting Act (“FCRA”) requires consumer reporting agencies to use reasonable procedures to ensure that the entities to which they disclose sensitive consumer information have a permissible purpose for receiving that information, and imposes safe disposal obligations on entities that maintain consumer report information.
• The Commission also enforces the FTC Act’s proscription against unfair or deceptive acts or practices in cases where a business makes false or misleading claims about its data security procedures, or where its failure to employ reasonable security measures causes or is likely to cause substantial consumer injury.

In line with other new consumer protection laws being instituted, data security legislation has been proposed requiring companies to adhere to certain data security policies.  The bill, also known as the Data Security and Breach Notification Act of 2010, S.3742, was introduced in August by Senators Mark Pryor (D-AR) and Jay Rockefeller (D- WV).  (Rockefeller, chairman of the committee on Commerce, Science, and Transportation was behind the post transaction marketing investigation, which was discussed in a previous blog last year.)  Last month, the FTC testified to a Senate Subcommittee on Consumer Protection, Product Safety, and Insurance that it supports the proposed legislation.  The subcommittee also heard testimony from Symantec CTO Mark Bregman and Maneesha Mithal, Associate Director of the Division of Privacy and Identity Protection at the FTC, who outlined three items the FTC would like to see included in the legislation:

• The provision that requires companies to notify consumers in the event of a data breach should not be limited to electronic information
• The proposed requirements should be extended to telephone companies
• The bill should grant the FTC rulemaking authority to determine the circumstances under which providing free credit reports and monitoring may be required

Companies who handle consumer data are guided against storing sensitive data, from a multitude of associations, agencies, and councils, such as the PCI DSC.  Violations to data security regulations usually result in financial penalties or fines from those entities, with not much automatic legal recourse.  However, since 2001, the FTC has been able to use its authority to bring 29 cases against companies who failed to protect consumer data.

Having business experience in the card and electronic payment industry makes those of us more aware of data security practices on a daily basis in places where we do business.  The FTC and consumer advocacy groups are doing a great job of providing consumers with information on various ways to protect their information.  It’s unfortunate that consumers are becoming more informed and businesses are learning lessons as a result of incidents, such as major fraud cases or class action lawsuits, instead of being more proactive about data security.  The FTC is trying to change that.

No matter what legislation or regulations are put into place, even if they are enforced, consumers still need to be vigilant about their own personal data security.  The new laws are being put into place because companies handling sensitive consumer data are not holding up their end of the bargain.

Other References

FTC Bureau of Consumer Protection

State Security Breach Notification Laws

Blippy, a new social networking site which allows users to share their credit card purchases, unintentionally exposed the financial information of some of its members. 

How It Works

The site operates like Twitter, where members can follow other members.  Members sign up one of their credit cards to the site and any time a purchase is made with that card, the information is streamed, like a tweet or Facebook post, on the member’s page.

A member gives Blippy access to a card account (i.e. provides Blippy with access to the online bank account).  Blippy then obtains the transaction data, or raw data, from the card purchase and cleans it up for the web post.  For instance, “Starbucks USA 00075424 04/25 CARD #<XXXX> Purchase #<XXXXXXXXX> Newport Bch, CA”, would be converted to just “Starbucks”.

Members can also add accounts that Blippy has signed on (i.e., iTunes and Zappos), which can also include more details of the card purchase.  With some accounts, a member can choose to show full product details:

Michael purchased 1 app from iTunes (and then a graphic of the app, i.e., the iTunes song, is displayed below the stream)

Or just the amount spent:

Michael spent $3.75 at Starbucks

Members are using Blippy to find hot deals, compare costs (i.e. cable, utilities, cell phone), share restaurant experiences or post their own movie reviews.  Like Facebook, members and followers can comment on the post or hide posts from certain people.  (Maybe you don’t want a friend to know that you spent $80 golfing when you cancelled previously scheduled lunch meeting during the same time.)  Some see the revelation of spending habits as a conscience for shoppers.  Others see it as sharing too much information.  Certain purchases and excessive spending can be potentially damaging to someone’s reputation.  For consumers who want to share everything and have nothing to hide, this is perfect for them.

“Users who share information online are becoming slowly aware of the risks of this new technology.”

Like any social networking site, retailers and manufacturers could use the posted information to get feedback on products, shopping experiences and consumer behavior in general.  On the flip side, it could create more competition.  If full details of a purchase are posted, a competitor could lower prices to steal future business.

Privacy Concern and Security Risks

Information sharing and web collaboration were made possible with Web 2.0 technologies.  Users who share information online are becoming slowly aware of the risks of this new technology.    Companies who promote the sharing of information online need to ramp up security and take responsibility to help protect their users.

The exposure of members’ credit card data on Blippy was discovered during the site’s beta phase, when some raw data could be viewed on the HTML source page of a Blippy member’s page.  Experienced (and certainly determined) web users could see the raw data, which Blippy claims was mainly harmless (i.e. store numbers, etc.).  After that issue was discovered, the glitch was fixed quickly.

According to Blippy cofounder Philip Kaplan, there was a “’technical oversight’ in February which resulted in raw transactional data showing up within the HTML code on some Blippy pages for half a day.”  Because of the indexing power of Google, the HTML data, which included full card numbers of four Blippy members, turned up in close to 200 search results.  Even though Blippy’s site went through several modifications since then, the Google snapshots of these pages were not updated.  Blippy worked with Google immediately to remove the indexed pages.

Blippy then discovered another member’s card number in a web search on Saturday, which turned up in 20,000 pages.  The company again worked with Google to remove the data.  In both cases, Blippy also contacted – and apologized to – the members affected.

Blippy – and its members – were quite lucky.  The damage could have been a lot worse had the site been in a more viral stage, ala Facebook or Twitter.

Who is in Control?

Social networking has given people the power to open up that privacy door – all on their own.  At the same time, secure data is at risk when financial information is released into the air.

Amazon was leary of Blippy in the beginning, as it blocked buyers from publishing their purchases.  Blippy went around the roadblock by requesting members who used Gmail for access to their accounts to obtain the purchase data that Amazon emailed to them.  Other retailers have joined Blippy without as much concern, seeing it more like a promotional tool.

Even though a cardholder would not be responsible for fraudulent charges, it doesn’t help our economy if retailers are left holding debt as a result of credit card fraud.  As discussed in a previous two-part blog, when data is compromised, fingers are usually pointed to the merchant receiving the card information.  However, all parties involved are responsible for ensuring data security.  On the top, merchants need to be extra careful about business relationships which may affect the data protection of their customers.  Unfortunately – for banks and retailers – if a cardholder volunteers access to his or her account, and card information is jeopardized, the cardholder is still protected.

While Blippy thought they were on top of security on their site, the recent data exposure has changed their course.  In their April 26 blog, they outlined a new security plan which includes hiring a chief security officer and conducting regular security audits to protect members.

On the positive side for Blippy – the company has certainly gained more exposure since the data security issue hit the news.  Oh, and Blippy will soon have company in this playing field as Swipely is soon to go live.

Heartland’s 2008 data breach is supposedly the largest breach of that year, but not the only one hit by the same hacker. According to Bob Carr, CEO of Heartland, most of the companies affected did not come forward. However, news articles are blasting Heartland for not reporting the 2008 breach earlier so customers and merchants could take action and precautions. While the Department of Justice has been successful in capturing individuals behind the recent data breaches, this should be a strong sign to any company involved with sensitive data that they should be stepping up efforts in the prevention of data loss.

The delay of notification about data breaches is becoming too common and also a source of contention for those affected. The most recent news involved Radisson Hotels & Resorts, who recently revealed a breach which occurred between November, 2008 and May, 2009. According to the Associated Press, Radisson reported that the data breach affected cardholder names, card numbers and expiration dates of their North American customers but they did not specify how many were affected.

One approach to get companies to pay more attention to data security has been to hit violators financially. Visa and MasterCard impose fines for PCI compliance violations (MasterCard has recently increased their fines hoping that companies will take data security more seriously). Class action lawsuits have also been filed against companies like Heartland by customers whose credit cards were affected in data breaches. Lawsuits and the financial impact to companies who handle sensitive data shouldn’t be the reasons they impose stricter controls, but if that is, then companies who have been spared should take that as a lesson.

Following PCI DSS guidelines for securing data is simply not enough. Everyone in the “payment chain” (i.e. point of sale, processors, financial institutions) is responsible for ensuring data security. The stronger each piece is will help to strengthen the overall security of the data.  Additionally, although PCI compliance varies for different levels/tiers of processing volumes ($), everyone in the payment chain should go beyond what is required to protect the data. A processor using a third-party payment gateway should ensure that vendor is PCI compliant. That same third-party vendor should ensure their customers are PCI compliant as well. Finger pointing won’t solve the problem in a world where companies should work together to produce best practices.

Stronger encryption, along with the safety of, and restricted access to, physical data storage are just a few of the basics. Any company who handles sensitive data should have a dedicated team (or at least a key executive) assigned to manage those controls on a regular basis. A self assessment or qualified audit should be seen only as a guidepost. Companies relying only on auditors to determine their compliance are putting their company, and customers, in jeopardy. Being compliant doesn’t mean a company’s data is secure and the auditor cannot ensure that data is secure either. Their job is simply to report on the controls in place for data security.  VeriSign’s 2007 white paper about how to avoid an audit failure provides basic, yet necessary, measures for data security that are still valid, yet likely not practiced enough, today. Companies need to take these measures more personally on behalf of the security of their customer data.