110th
Congress Revisits Data Security Issue
Hacked computer networks, lost
and stolen laptops containing personal information
and the horror stories of consumers’ financial losses and headaches
of trying to recover from having their identities stolen
have permeated the news media for the last few years.
The issue of data security has risen to prominence
as consumers’ fear related to the issue has soared.
Although the last Congress grappled with about 25 bills
addressing the issue of data security, no major legislation
on the subject was enacted. The issue, because of its
importance to the general public, quickly entered the
legislative queue in the new 110th Congress with about
a dozen House and Senate bills on data security currently
pending.
For NACM, the major concern
is ensuring that any new measures designed to better
protect personal consumer data will not restrict
the free flow of commercial financial data used to
finance trade credit transactions. Commercial or
trade credit provides a major share of the financing
that fuels the U.S. and global economies. NACM Board
members and staff have been working hard to convey
this message to Congress as it debates the issues
involved in better protecting consumers’ personal
data.
Lesson Learned From Data Security Breaches
Perhaps there is only one major lesson to be learned
from all the media reports of data security breach
fiascos over the past few years: the lack of adequate
data security measures, or the careless enforcement
of them, is the major cause of just about every security
breach. Any lapse or weakness in data security systems
and safeguards subject data to possible theft or
accidental loss. For example, improperly discarded
data has been found in—and
stolen from—dumpsters. Sound
data security measures should not restrict the free
flow of such information, whether for trade or consumer
credit; however, sound data security measures can’t
protect against the actions of dishonest “insider” employees,
even those that have passed rigid initial background
checks.
The most devastating data security
breaches are those involving organizations that maintain
or transmit large numbers files of individual personal
identities, such as names, addresses, dates of birth,
social security numbers, credit card and other financial
account numbers. When intercepted by thieves, such
information may be used to make fraudulent credit
card purchases and withdrawals from financial accounts
and the obtaining of credit through the use of someone
else’s good credit
history.
There have been several major data breaches, involving
hundreds of thousands of stolen individual records
as well as many smaller ones. These include various
corporations, financial institutions, data brokers,
retailers, federal agencies, state government agencies,
local governments and other organizations. For a good
source that chronicles data security breaches 2005
to present, go to www.privacyrights.org/. The website,
maintained by the Privacy Rights Clearinghouse, a nonprofit
consumer rights and advocacy organization, has listed
dozens of security breaches. As of June 27, 2007, 155,767,424
records containing sensitive personal information were
listed. Some of the more well-known major data breaches
include ChoicePoint, Bank of America and the U.S. Veterans
Administration. In the most recent incident, reported
on July 3, 2007, a worker at a subsidiary of Fidelity
National Information Services, a financial processing
company in St. Petersburg, FL, took consumer records
containing credit card, bank account and other personal
information involving 2.3 million consumer records
and sold it to a data broker.
TJX Data Breach
The biggest theft of credit card numbers occurred two
years ago with TJX, parent company of Marshall’s,
T.J. Maxx, Home Goods and other retail outlets. A
May 4, 2007 Wall Street Journal article
entitled “How Credit-Card Data Went Out the
Wireless Door,” explains how hackers pointed
a telescope-shaped antenna toward a Marshall’s
discount clothing store near St. Paul, MN, and used
a laptop computer to “decode data streaming
through the air between hand-held price-checking
devices, cash registers and the store’s computers.” This
enabled the hackers to electronically break into
TJX’s
central database.
What is most astonishing about
the TJX incident is the $17.4 billion retailer’s
wireless network used a less effective network security
than that employed in many home networks. The WSJ article
stated that for 18 months “the hackers, who have not
been found, downloaded at least 45.7 million credit
and debit card numbers from about a year’s worth
of records,” according to TJX. “A person
familiar with the firm’s internal investigation
says they may have grabbed as many as 200 million card
numbers all told from four years’ records.” The
information stolen by TJX hackers included the driver’s
license numbers, social security numbers and military
identification of 451,000 customers. While the company
disputes the 200 million figure, it cannot give a precise
number. The Privacy Rights Clearinghouse tallies the
stolen records at 45,700,000 credit and debit card
account numbers and 455,000 merchandise return records
containing customer names and driver’s license
numbers.
The major weaknesses in TJX’s
security system involved the encoding system it used
to protect its wireless network. TJX was using an
older, less secure encoding system called Wired Equivalent
Privacy or WEP. As early as 2001 security experts
were warning that WEP was relatively easy to crack
by hackers. A new encoding system that better protected
wireless networks with more complex encryption evolved
in 2003 called Wi-Fi Protected Access or WPA. TJX
had failed, unlike many other retailers, to adopt
WPA. Furthermore, the WSJ article stated, “An auditor
later found (TJX) also failed to install firewalls
and data encryption on many of its computers using
the wireless network, and didn’t properly install
another layer of security software it had bought.” TJX
reportedly declined to comment on its security measures.
Legislative Landscape
Jim Wise, NACM’s Washington Representative and
managing partner of PACE-Capstone of Alexandria, VA,
noted that Congress is very concerned about the issue
of data security. He believes, though, that with issues
such as Iraq War funding and sub-prime mortgage lending
needing imminent action from the nation’s lawmakers,
data privacy legislation will likely get more attention
later in the year. One bill Wise pointed to as a possible
vehicle to deliver changes in the data security landscape
is S. 495, the Personal Data Privacy and Security Act
of 2007. U.S. Sen. Patrick Leahy (D-VT), Chairman of
the Judiciary Committee, introduced the bill that has
garnered bi-partisan support with the co-sponsorship
of ranking minority Judiciary member Arlen Specter
(R-PA).
NACM President Robin Schauseil,
CAE has tirelessly studied the issue over the past
several months. She points to the Gramm-Leach-Bliley
Act of 1999 (GLB), which pertains to data security
of personal information maintained by financial institutions,
as a likely model for other organizations and data
brokers. In a meeting with Sen. Leahy’s staff
in Washington earlier in the year, Schauseil noted
that they confirmed that the safeguards already in
place are working for financial institutions. Because
the FTC would also write and implement the safeguard
standards for any privacy legislation enacted, it
is likely that it will follow those already developed
and in practice. In a speech delivered in June 2007
to NACM South Texas in Houston she said that if GLB
mandates had been in place for other organizations “TJX…would
have a mandated duty to shore up its safeguard practices
or face fines.”
Reasonable Regulations
The Federal Trade Commission
(FTC) issues regulations pertaining to financial institutions as required
by GLB. Schauseil contends that these regulations
are reasonable for any organization that maintains
personal information. “NACM-National already
complies with all of them except the requirement
that policies be in writing. We do not yet have a
written policy,
although we have always protected the data we store
about our members,” she said in Houston. Pointing
to these regulations she said, “They include
designating someone to coordinate an information security
program; identifying and assessing the risks to customer
information; and designating, implementing, monitoring
and testing a safeguard program.”
The FTC regulations require companies to review and
assess risks when company employees access customer
data from home or other offsite locations. Also, the
rules suggest companies consider checking references
and conducting background checks before hiring employees
who will have access to customer information. Other
FTC regulations required for financial institutions
are all geared to providing a high level of security
over personal data and are common sense initiatives
for safekeeping these data.
The Costs of Not Providing
Adequate Data Security
Addressing the issue of the consequences of not adequately
safeguarding personal data, Schauseil said in Houston, “The
cost of not implementing some type of customer information
privacy program is simply too high. In the case of
TJX, companies will need to cover the losses of purchases
made using stolen information. And, 451,000 people
will need to rebuild their identities after they have
been stolen…I’m not sure
I can quantify that cost.” In the case of TJX,
three states’ banking associations (Massachusetts,
Connecticut and Maine) filed a class action lawsuit
against TJX to recover the costs of damages totaling “tens
of millions of dollars” incurred for replacing
customers’ debit and credit cards.
Sound Advice
In her concluding remarks in Houston, Schauseil, speaking
as the chief executive of a relatively small $6 million
organization, said, “Whether or not the privacy
bills pass, I recommend that you visit the FTC website
and read the safeguard rules. They serve as a sound
checklist of things to do and to consider to protect
the very precious information that we store about
our customers.”
|
