Suffering in silence with data leaks

Current laws may not compel merchants to notify consumers when their personal information is stolen.

Lynn Perry was living an online shopping nightmare.

A hacker had snatched her home address and phone and credit card numbers--even the three-digit security code printed on the back of her credit card--and was offering them to anyone willing to pay the asking price: $5.

Perry, a copyright attorney from Mill Valley, Calif., was among 10 people whose personal data was posted last month on a Web site that specializes in the trafficking of stolen information. Even worse, no one bothered to tell her that her credit card information had been compromised.

It's likely that no one was required to do so. Much to the chagrin of consumer advocates, the disclosure laws passed by 23 states during the past three years have had little impact when it comes to ensuring consumers are notified about data theft or loss.

Most existing laws allow merchants plenty of wiggle room when deciding whether to tell customers about such breaches, legal and security analysts said. The majority of state laws, for example, allow a company to stay mum about a robbery, if disclosing it would interfere with a police investigation.

That's a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of , a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case "under investigation," he said.

"Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise," Clements said. "Most want to sweep the hack under the rug. Their motivation is clear; they don't want to lose their customers' trust."

Behind the break-ins
The issue of disclosure has taken on greater urgency in the wake of what analyst Avivah Litan of research firm Gartner has called the "most significant data theft ever."

A national retailer suffered a data breach late last year and thieves managed to steal debit card information, including personal identification numbers (PINs), from thousands of consumers across the country. After reports of fraud began to pile up, dozens of banks and credit unions across the country began replacing more than 200,000 debit cards.

Perry lost her personal information in a far smaller incident. She and six other people interviewed by CNET whose details were being sold on the same Web site had one thing in common: They shopped at online electronics store JDM Infrastructure. But none of the victims knew their information had been stolen because JDM Infrastructure had never notified them, they said.

"Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise."
--Dan Clements, CEO,

While John Marks, chief executive of JDM Infrastructure, acknowledged that the company knew about a computer break-in, he said no customer data was lost. The online electronics reseller doesn't store such information, he said. But regardless of who lost it, did Marks feel compelled to warn customers of the potential threat of identity theft?

"We did everything we we're supposed to do," Marks said.

Marks may well be right, but consumer advocates are alarmed by such attitudes.

"Companies who lose this kind of information owe it to their customers to take responsibility," said Christopher Goetcheus, spokesman for the Massachusetts Office of Consumer Affairs. "We want companies to treat their customers' trust as their most important asset."

On the lawbooks
To understand the problem with disclosure laws around the U.S., California's SB 1386 is a good place to start, because most other state laws were patterned after it.

Passed in September 2002, the California law allows a merchant to stay quiet about a digital data breach if the information lost was encrypted. This could apply even if the "key" to unlock the encryption was also stolen, analysts said. In addition, the state law is unclear on the issue of a merchant's responsibility, if the company's technology provider, such as a Web hosting company, suffered an intrusion.

The law also requires notification to any resident "whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." But it offers no criteria for determining "reasonable" belief. Merchants are left to decide for themselves what is reasonable, legal experts said.

While California's laws allow plenty of leeway to merchants, consumer advocates say New York's state disclosure laws are a model for consumer protection. Passed in August 2005, requires any data compromise that has exposed the personal information of New York residents to be disclosed.

Featured Video