VideoLike most virtual retailers, Guess.com—the online outfit of clothier Guess Inc.—proudly displays its privacy policy right on the Website. Six months ago, the pledge read: "This site has security measures in place to protect the loss, misuse, and alteration of the information under our control." Reassuring stuff. There's just one problem: the promise was evidently more lip service than customer service. In June, the Federal Trade Commission (FTC) filed a complaint against the E-tailer, claiming that it didn't take much guessing for hackers to access Guess.com's customer database. Apparently, one shopper was able to view credit-card numbers simply by entering a string of SQL characters into the site's address bar.
Management at parent Guess eventually settled the charges, agreeing to follow stringent security measures for the next two decades. But the case is not exactly a freakish occurrence. These days, customer databases—and with them, customer Social Security numbers (SSNs), birth dates, and account balances—are being hacked on a fairly regular basis.
While some of the intrusions are harmless, many are not. In February, a cyberthief reportedly broke into a computer system at credit processor DPI Merchant Services. The database is believed to have contained some 10 million credit-card numbers.
The breach itself did not tick off lawmakers and consumer groups. What did? Some of the credit-card issuers that use the facility apparently failed to notify consumers about the incident.
Such inaction is not unusual. According to the FTC, 9 million people were victims of identity theft last year. Of that group, only 26 percent said they were notified of suspicious account activity by a card issuer or a bank.
Statistics like that—and a flood of voter complaints about statistics like that—have spurred some lawmakers to action. In July, California passed a watershed piece of legislation (SB1386) that requires U.S. companies to quickly inform Golden State residents when customer databases are compromised.
Consumer advocates hailed the law, arguing that businesses have long treated customers' personal data as their own private property. But some business leaders worry that SB1386 is the opening salvo in a battle that could cripple CRM initiatives and heap huge burdens on responsible corporate citizens.
Indeed, the Federal Deposit Insurance Corp. is considering a new regulation that would mimic SB1386. In September, Sen. Dianne Feinstein (D-Calif.) introduced a bill in Congress that mirrors the California statute. Feinstein also cosponsored an amendment to the Fair Credit Reporting Act (FCRA) that would limit customer data sharing among financial-services companies.
Both pieces of legislation were voted down in November, while certain business-friendly provisions of the FCRA were reauthorized. But even with that vote, the regulatory tide may be turning in favor of consumers. As Deborah Birnbach, an attorney at Boston-based Testa, Hurwitz & Thibeault LLP, notes: "The California law is an absolute shifting of risk [away from customers] and onto businesses." Adds Birnbach, who advises corporations on compliance issues: "Clients I've spoken to have expressed panic about this."
Ad Nauseam
They should be panicked. At the very least, SB1386 could prove to be a public-relations nightmare.
Under the new law, any U.S.-based business that suffers a breach in an unencrypted customer (or employee) database must attempt to reach the Californians in the database via mail or E-mail. A company that does not contact two-thirds of the affected people through the mail will have to resort to more-public methods, including buying advertising space in local newspapers or posting notifications on corporate Websites.
Needless to say, taking out a full-page ad in the Los Angeles Times detailing a serious lapse in network security isn't the kind of branding CFOs dream of. "Some companies are worried about how expensive the notification will be," says Marne Gordon, director of regulatory affairs at Herndon, Va.-based security specialist TruSecure Corp. "Others worry about how many customers are going to run away."
An even bigger worry: how will customers outside of the West Coast react if they discover California residents were informed of a database breach and they weren't? Answers Arshad Noor, founder and CEO of StrongAuth Inc.: "From a PR perspective, companies will be shooting themselves in the foot if they notify only their California customers."
Sending mail to, say, a quarter of a million customers could get pricey, particularly for businesses that are hacked often. Nobody is quite sure how often corporate databases are compromised. In some cases, senior executives probably don't know the extent of the problem. Says Noor: "Computers systems are not as secure as CFOs may think they are."
Compliance experts also point out that SB1386 requires a swift response. After some early confusion over the exact time required for notification, the Office of Privacy Protection at the California Department of Consumer Affairs recently recommended that companies notify affected individuals within 10 days. "Disclosure is so rapid, companies will not have the luxury of examining exactly what happened," argues attorney Birnbach. "They may end up making disclosures without being sure any information was actually taken."
Reader Comments» Post a comment