Print this article | Return to Article | Return to CFO.com
Companies, Congress, and customers slug it out over some very personal information.
John Goff, CFO Magazine
December 1, 2003
Management at parent Guess eventually settled the charges, agreeing to follow stringent security measures for the next two decades. But the case is not exactly a freakish occurrence. These days, customer databases—and with them, customer Social Security numbers (SSNs), birth dates, and account balances—are being hacked on a fairly regular basis.
While some of the intrusions are harmless, many are not. In February, a cyberthief reportedly broke into a computer system at credit processor DPI Merchant Services. The database is believed to have contained some 10 million credit-card numbers.
The breach itself did not tick off lawmakers and consumer groups. What did? Some of the credit-card issuers that use the facility apparently failed to notify consumers about the incident.
Such inaction is not unusual. According to the FTC, 9 million people were victims of identity theft last year. Of that group, only 26 percent said they were notified of suspicious account activity by a card issuer or a bank.
Statistics like that—and a flood of voter complaints about statistics like that—have spurred some lawmakers to action. In July, California passed a watershed piece of legislation (SB1386) that requires U.S. companies to quickly inform Golden State residents when customer databases are compromised.
Consumer advocates hailed the law, arguing that businesses have long treated customers' personal data as their own private property. But some business leaders worry that SB1386 is the opening salvo in a battle that could cripple CRM initiatives and heap huge burdens on responsible corporate citizens.
Indeed, the Federal Deposit Insurance Corp. is considering a new regulation that would mimic SB1386. In September, Sen. Dianne Feinstein (D-Calif.) introduced a bill in Congress that mirrors the California statute. Feinstein also cosponsored an amendment to the Fair Credit Reporting Act (FCRA) that would limit customer data sharing among financial-services companies.
Both pieces of legislation were voted down in November, while certain business-friendly provisions of the FCRA were reauthorized. But even with that vote, the regulatory tide may be turning in favor of consumers. As Deborah Birnbach, an attorney at Boston-based Testa, Hurwitz & Thibeault LLP, notes: "The California law is an absolute shifting of risk [away from customers] and onto businesses." Adds Birnbach, who advises corporations on compliance issues: "Clients I've spoken to have expressed panic about this."
They should be panicked. At the very least, SB1386 could prove to be a public-relations nightmare.
Under the new law, any U.S.-based business that suffers a breach in an unencrypted customer (or employee) database must attempt to reach the Californians in the database via mail or E-mail. A company that does not contact two-thirds of the affected people through the mail will have to resort to more-public methods, including buying advertising space in local newspapers or posting notifications on corporate Websites.
Needless to say, taking out a full-page ad in the Los Angeles Times detailing a serious lapse in network security isn't the kind of branding CFOs dream of. "Some companies are worried about how expensive the notification will be," says Marne Gordon, director of regulatory affairs at Herndon, Va.-based security specialist TruSecure Corp. "Others worry about how many customers are going to run away."
An even bigger worry: how will customers outside of the West Coast react if they discover California residents were informed of a database breach and they weren't? Answers Arshad Noor, founder and CEO of StrongAuth Inc.: "From a PR perspective, companies will be shooting themselves in the foot if they notify only their California customers."
Sending mail to, say, a quarter of a million customers could get pricey, particularly for businesses that are hacked often. Nobody is quite sure how often corporate databases are compromised. In some cases, senior executives probably don't know the extent of the problem. Says Noor: "Computers systems are not as secure as CFOs may think they are."
Compliance experts also point out that SB1386 requires a swift response. After some early confusion over the exact time required for notification, the Office of Privacy Protection at the California Department of Consumer Affairs recently recommended that companies notify affected individuals within 10 days. "Disclosure is so rapid, companies will not have the luxury of examining exactly what happened," argues attorney Birnbach. "They may end up making disclosures without being sure any information was actually taken."
It's unclear how consumers might react to false alarms. But some observers believe most will be loyal to businesses that keep them apprised of any potential problems. "The requirements of the law really come down to good business ethics," insists Gordon.
It could also turn out to be just good business. "You'd think financial-services companies would be happier about this," notes one consultant. "The sooner a customer uncovers a theft, the less a company has to pay."
And make no mistake, companies are paying dearly for identity theft. The FTC estimates that last year alone, stolen customer Social Security numbers, driver's-license numbers, and the like cost corporations almost $50 billion. "SSNs and private numbers are really the Rosetta stone for identity theft," notes Gordon.
A hacker's chances of pilfering such crucial information increase greatly, experts note, when companies share sensitive customer data. Currently, a business intent on selling a customer's personal information does not have to get the customer's permission to do so. And few—if any—restrictions have been placed on the sharing of customer information with joint-marketing partners or affiliates.
That practice appears to be widespread. A Citibank representative, for instance, told the Senate Banking Committee that the bank collects customer information from affiliates to help determine a customer's eligibility for credit. Presumably, those internal credit ratings—gleaned from affiliate data—do not fall under the mandates of the Fair Credit Reporting Act.
The defeated Feinstein/Boxer amendment would let consumers opt out of affiliate data-sharing. The Senate did pass another Feinstein/Boxer amendment that allows consumers to permanently opt out of marketing by unrelated affiliates. "I believe that consumers should have the right to decide when, how, and to whom their personal information is shared," Feinstein noted in September.
The massive sign-up for the national Do Not Call Registry would seem to show that consumers agree. Certainly, the push for greater data privacy looks unstoppable.
Some companies are already getting out in front on the issue, turning consumer-friendly privacy policies into selling points. Online lender E-Loan, for one, does not share information with third-party marketers or affiliates unless customers opt in to the program. Expect other businesses to eventually follow suit. "If companies don't start policing their data," warns Noor, "the government will do it for them."
|Privacy Rules in Progress|
Efforts to enforce customer data privacy.
|Legislation||Status||What It Does|
|CA SB1386||Now in effect||Requires companies to quickly notify CA residents of any security breach in an unencrypted database|
|CA SB1||Signed into law, goes into effect 7/1||Requires financial institutions to get consent of customers before selling their info to third parties|
|U.S. S1350||Defeated||Would have created a national version of CA SB1386|
|Fair Credit Reporting Act||Certain provisions reauthorized in Nov.||Will restrict states from setting data-privacy laws that are tougher than federal statutes. Could gut CA SB1|
|Source: Legislative Web sites|