110th Congress Revisits Data Security Issue
Hacked computer networks, lost and stolen laptops containing personal information and the horror stories of consumers’ financial losses and headaches of trying to recover from having their identities stolen have permeated the news media for the last few years. The issue of data security has risen to prominence as consumers’ fear related to the issue has soared. Although the last Congress grappled with about 25 bills addressing the issue of data security, no major legislation on the subject was enacted. The issue, because of its importance to the general public, quickly entered the legislative queue in the new 110th Congress with about a dozen House and Senate bills on data security currently pending.
For NACM, the major concern is ensuring that any new measures designed to better protect personal consumer data will not restrict the free flow of commercial financial data used to finance trade credit transactions. Commercial or trade credit provides a major share of the financing that fuels the U.S. and global economies. NACM Board members and staff have been working hard to convey this message to Congress as it debates the issues involved in better protecting consumers’ personal data.
Lesson Learned From Data Security Breaches
Perhaps there is only one major lesson to be learned from all the media reports of data security breach fiascos over the past few years: the lack of adequate data security measures, or the careless enforcement of them, is the major cause of just about every security breach. Any lapse or weakness in data security systems and safeguards subject data to possible theft or accidental loss. For example, improperly discarded data has been found in—and stolen from—dumpsters. Sound data security measures should not restrict the free flow of such information, whether for trade or consumer credit; however, sound data security measures can’t protect against the actions of dishonest “insider” employees, even those that have passed rigid initial background checks.
The most devastating data security breaches are those involving organizations that maintain or transmit large numbers files of individual personal identities, such as names, addresses, dates of birth, social security numbers, credit card and other financial account numbers. When intercepted by thieves, such information may be used to make fraudulent credit card purchases and withdrawals from financial accounts and the obtaining of credit through the use of someone else’s good credit history.
There have been several major data breaches, involving hundreds of thousands of stolen individual records as well as many smaller ones. These include various corporations, financial institutions, data brokers, retailers, federal agencies, state government agencies, local governments and other organizations. For a good source that chronicles data security breaches 2005 to present, go to www.privacyrights.org. The website, maintained by the Privacy Rights Clearinghouse, a nonprofit consumer rights and advocacy organization, has listed dozens of security breaches. As of June 27, 2007, 155,767,424 records containing sensitive personal information were listed. Some of the more well-known major data breaches include ChoicePoint, Bank of America and the U.S. Veterans Administration. In the most recent incident, reported on July 3, 2007, a worker at a subsidiary of Fidelity National Information Services, a financial processing company in St. Petersburg, FL, took consumer records containing credit card, bank account and other personal information involving 2.3 million consumer records and sold it to a data broker.
TJX Data Breach
The biggest theft of credit card numbers occurred two years ago with TJX, parent company of Marshall’s, T.J. Maxx, Home Goods and other retail outlets. A May 4, 2007 Wall Street Journal article entitled “How Credit-Card Data Went Out the Wireless Door,” explains how hackers pointed a telescope-shaped antenna toward a Marshall’s discount clothing store near St. Paul, MN, and used a laptop computer to “decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers.” This enabled the hackers to electronically break into TJX’s central database.
What is most astonishing about the TJX incident is the $17.4 billion retailer’s wireless network used a less effective network security than that employed in many home networks. The WSJ article stated that for 18 months “the hackers, who have not been found, downloaded at least 45.7 million credit and debit card numbers from about a year’s worth of records,” according to TJX. “A person familiar with the firm’s internal investigation says they may have grabbed as many as 200 million card numbers all told from four years’ records.” The information stolen by TJX hackers included the driver’s license numbers, social security numbers and military identification of 451,000 customers. While the company disputes the 200 million figure, it cannot give a precise number. The Privacy Rights Clearinghouse tallies the stolen records at 45,700,000 credit and debit card account numbers and 455,000 merchandise return records containing customer names and driver’s license numbers.
The major weaknesses in TJX’s security system involved the encoding system it used to protect its wireless network. TJX was using an older, less secure encoding system called Wired Equivalent Privacy or WEP. As early as 2001 security experts were warning that WEP was relatively easy to crack by hackers. A new encoding system that better protected wireless networks with more complex encryption evolved in 2003 called Wi-Fi Protected Access or WPA. TJX had failed, unlike many other retailers, to adopt WPA. Furthermore, the WSJ article stated, “An auditor later found (TJX) also failed to install firewalls and data encryption on many of its computers using the wireless network, and didn’t properly install another layer of security software it had bought.” TJX reportedly declined to comment on its security measures.
Jim Wise, NACM’s Washington Representative and managing partner of PACE-Capstone of Alexandria, VA, noted that Congress is very concerned about the issue of data security. He believes, though, that with issues such as Iraq War funding and sub-prime mortgage lending needing imminent action from the nation’s lawmakers, data privacy legislation will likely get more attention later in the year. One bill Wise pointed to as a possible vehicle to deliver changes in the data security landscape is S. 495, the Personal Data Privacy and Security Act of 2007. U.S. Sen. Patrick Leahy (D-VT), Chairman of the Judiciary Committee, introduced the bill that has garnered bi-partisan support with the co-sponsorship of ranking minority Judiciary member Arlen Specter (R-PA).
NACM President Robin Schauseil, CAE has tirelessly studied the issue over the past several months. She points to the Gramm-Leach-Bliley Act of 1999 (GLB), which pertains to data security of personal information maintained by financial institutions, as a likely model for other organizations and data brokers. In a meeting with Sen. Leahy’s staff in Washington earlier in the year, Schauseil noted that they confirmed that the safeguards already in place are working for financial institutions. Because the FTC would also write and implement the safeguard standards for any privacy legislation enacted, it is likely that it will follow those already developed and in practice. In a speech delivered in June 2007 to NACM South Texas in Houston she said that if GLB mandates had been in place for other organizations “TJX…would have a mandated duty to shore up its safeguard practices or face fines.”
The Federal Trade Commission (FTC) issues regulations pertaining to financial institutions as required by GLB. Schauseil contends that these regulations are reasonable for any organization that maintains personal information. “NACM-National already complies with all of them except the requirement that policies be in writing. We do not yet have a written policy,
although we have always protected the data we store about our members,” she said in Houston. Pointing to these regulations she said, “They include designating someone to coordinate an information security program; identifying and assessing the risks to customer information; and designating, implementing, monitoring and testing a safeguard program.”
The FTC regulations require companies to review and assess risks when company employees access customer data from home or other offsite locations. Also, the rules suggest companies consider checking references and conducting background checks before hiring employees who will have access to customer information. Other FTC regulations required for financial institutions are all geared to providing a high level of security over personal data and are common sense initiatives for safekeeping these data.
The Costs of Not Providing Adequate Data Security
Addressing the issue of the consequences of not adequately safeguarding personal data, Schauseil said in Houston, “The cost of not implementing some type of customer information privacy program is simply too high. In the case of TJX, companies will need to cover the losses of purchases made using stolen information. And, 451,000 people will need to rebuild their identities after they have been stolen…I’m not sure I can quantify that cost.” In the case of TJX, three states’ banking associations (Massachusetts, Connecticut and Maine) filed a class action lawsuit against TJX to recover the costs of damages totaling “tens of millions of dollars” incurred for replacing customers’ debit and credit cards.
In her concluding remarks in Houston, Schauseil, speaking as the chief executive of a relatively small $6 million organization, said, “Whether or not the privacy bills pass, I recommend that you visit the FTC website and read the safeguard rules. They serve as a sound checklist of things to do and to consider to protect the very precious information that we store about our customers.”