Suffering in silence with data leaks

Current laws may not compel merchants to notify consumers when their personal information is stolen.

Greg Sandoval Former Staff writer
Greg Sandoval covers media and digital entertainment for CNET News. Based in New York, Sandoval is a former reporter for The Washington Post and the Los Angeles Times. E-mail Greg, or follow him on Twitter at @sandoCNET.
Greg Sandoval
5 min read
Lynn Perry was living an online shopping nightmare.

A hacker had snatched her home address and phone and credit card numbers--even the three-digit security code printed on the back of her credit card--and was offering them to anyone willing to pay the asking price: $5.

Perry, a copyright attorney from Mill Valley, Calif., was among 10 people whose personal data was posted last month on a Web site that specializes in the trafficking of stolen information. Even worse, no one bothered to tell her that her credit card information had been compromised.

It's likely that no one was required to do so. Much to the chagrin of consumer advocates, the disclosure laws passed by 23 states during the past three years have had little impact when it comes to ensuring consumers are notified about data theft or loss.

Most existing laws allow merchants plenty of wiggle room when deciding whether to tell customers about such breaches, legal and security analysts said. The majority of state laws, for example, allow a company to stay mum about a robbery, if disclosing it would interfere with a police investigation.

That's a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of CardCops.com, a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case "under investigation," he said.

"Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise," Clements said. "Most want to sweep the hack under the rug. Their motivation is clear; they don't want to lose their customers' trust."

Behind the break-ins
The issue of disclosure has taken on greater urgency in the wake of what analyst Avivah Litan of research firm Gartner has called the "most significant data theft ever."

A national retailer suffered a data breach late last year and thieves managed to steal debit card information, including personal identification numbers (PINs), from thousands of consumers across the country. After reports of fraud began to pile up, dozens of banks and credit unions across the country began replacing more than 200,000 debit cards.

Perry lost her personal information in a far smaller incident. She and six other people interviewed by CNET News.com whose details were being sold on the same Web site had one thing in common: They shopped at online electronics store JDM Infrastructure. But none of the victims knew their information had been stolen because JDM Infrastructure had never notified them, they said.

"Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise."
--Dan Clements, CEO, CardCops.com

While John Marks, chief executive of JDM Infrastructure, acknowledged that the company knew about a computer break-in, he said no customer data was lost. The online electronics reseller doesn't store such information, he said. But regardless of who lost it, did Marks feel compelled to warn customers of the potential threat of identity theft?

"We did everything we we're supposed to do," Marks said.

Marks may well be right, but consumer advocates are alarmed by such attitudes.

"Companies who lose this kind of information owe it to their customers to take responsibility," said Christopher Goetcheus, spokesman for the Massachusetts Office of Consumer Affairs. "We want companies to treat their customers' trust as their most important asset."

On the lawbooks
To understand the problem with disclosure laws around the U.S., California's SB 1386 is a good place to start, because most other state laws were patterned after it.

Passed in September 2002, the California law allows a merchant to stay quiet about a digital data breach if the information lost was encrypted. This could apply even if the "key" to unlock the encryption was also stolen, analysts said. In addition, the state law is unclear on the issue of a merchant's responsibility, if the company's technology provider, such as a Web hosting company, suffered an intrusion.

The law also requires notification to any resident "whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." But it offers no criteria for determining "reasonable" belief. Merchants are left to decide for themselves what is reasonable, legal experts said.

While California's laws allow plenty of leeway to merchants, consumer advocates say New York's state disclosure laws are a model for consumer protection. Passed in August 2005, S03492 requires any data compromise that has exposed the personal information of New York residents to be disclosed.

"Disclosure shall be made in the most expedient time possible and without unreasonable delay," the law reads.

But New York may have to yield to federal regulation that offers consumers even fewer rights to demand notification about data leaks, should legislation being considered by Congress become law, said Rep. Barney Frank, the senior Democrat on the House financial services committee.

"Not exposing these companies violates every good conservative principle of law enforcement."
--Barney Frank, senior Democrat, House financial services committee

Some of the bills under consideration would give companies greater latitude in deciding when to report the loss of customer information, and would also restrict the right of consumers to freeze their bank accounts should their personal details be stolen, Frank said.

"The whole thing is ridiculous," said Frank, who argues that states should be allowed to set their own disclosure laws. "Not exposing these companies violates every good conservative principle of law enforcement, which says that the person who does the wrong is the one who must pay the price."

Certainly, some merchants have spoken up about losing customer data. Wal-Mart Stores issued a press release after thieves obtained personal information from an undisclosed number of Sam's Club customers in October.

But when other companies hesitate to inform customers, they are only helping cyberbandits, argues CardCops.com's Clements, who has been involved in exposing more than 500 illegal digital intrusions. Time is of the essence when it comes to catching thieves and minimizing the damage to consumers, he said.

"Keeping a data theft under wraps only increases the chance for hackers to steal a consumer's identity," Clements said. "The longer you wait, the more time you give hackers to work. If people are informed, they at least have a chance to protect themselves."

Hours before a reporter informed Perry on Feb. 17 that her card was for sale on the Web, she received a call from Visa informing her that it had flagged several suspicious charges. She confirmed that the charges were indeed unauthorized.

The hacker who stole her information has a reputation for dealing in "cherry cards," meaning his card information is usually valid and valuable. That thieves can so brazenly sell such data is troubling to many, given that only about 17 percent of the country's largest 230 merchants meet security standards required by the major credit card companies, according to Visa.

"The whole thing made me feel very vulnerable," said Perry, who put a 90-day hold on her credit to help thwart any attempts to steal her identity. "Before I go shopping again, I'm going to look for a security symbol, something that tells me the site's security has been approved."