Add to favorites Examiner Bio

Local government—spawning grounds for identity theft (part 1)

The federal GLBA, HIPAA, FACTA and its Red Flags and Disposal Rules, state data Breach Notification Laws and many other federal and state laws and industry regulations like PCI-DSS are intended to protect the privacy and security of consumer’s personally identifiable and financial information entrusted to businesses and other organizations. Many such regulations aim to prevent identity theft and privacy violations.

 

While some businesses have been negligent in securing information, other businesses have been victimized by black hat hackers or “crackers” who operate ahead of the cybersecurity technology curve. Cybersecurity is an ongoing challenge for businesses and for government as discussed in the President’s Cyberspace Policy Review. In the four-year period ending in 2008, 23% of all data breaches reported were attributed to hackers. For those data breaches involving more than one million profiles, hacking was identified as the cause in 66% of the breaches according to a recent research report on data breach risk factors.

 

Information security breaches in businesses draw public and government ire.

 

Unauthorized access to credit card account numbers by crackers has been a highly publicized and emotionally charged consumer and regulatory issue. Take Heartland Payment Systems, which was PCI-DSS compliant. Heartland has been plagued with consumer and investor class action law suits, business partner law suits, regulatory penalties, dwindling stock price, lost business customers and consumer sentiments to oust the CEO because he delayed public disclosure in favor of allowing Federal Law Enforcement Agencies to investigate the crime.

 

The Heartland Payment Systems security breach potentially put more than a 100 million debit and credit card holders at risk. Card account numbers, expiration dates and data from the card’s magnetic stripe and, in a small percentage of cases, cardholder names, are potentially at risk according to Heartland. Although this breach is significant in many respects and is of concern, consumers have relatively low risk and liability to identity theft known as “existing account fraud.” Yes, some may suffer inconveniences and emotional concern because of the breach. If unauthorized charges are detected by cardholders, they can dispute the charge with the card issuer—just as we do for any other unauthorized charge that appears on our monthly credit card statement. Granted, this is an unnecessary inconvenience caused to cardholders because of the data breach.

 

Although you may not fully agree with my perspective on how consumers are affected by the Heartland breach, all businesses large or small are expected to comply with several state and federal identity theft, privacy and information security laws and industry regulations. Those who are ethical and notify consumers of breaches often face stark consequences even when there may be little potential harm to consumers.