The Green Sheet Online Edition
June 27, 2011 • Issue 11:06:02
Insider's report on payments
Data breaches renew privacy concerns
A few years ago, Citigroup Inc. ran a series of advertisements proclaiming "Citi never sleeps." Now, I'm not a marketing guru, but I'm willing to bet the intended message was that Citi is a safe place to do business: that no one there falls asleep on the job, so to speak.
Images of those ads ran through my head as I read in June 2011 that Citi had been hacked, compromising information on at least 200,000 credit cardholders.
It wasn't just a sense of irony that triggered those images. It was the rude reminder that securing personal customer information (especially credit and debit card numbers) is like playing a game of whack-a-mole: hackers never go away; they just keep popping up in other places. And these days, those other places include some really big companies.
Breaches becoming commonplace
News of the Citi hack followed reports in late March that hackers had gained access to millions of email addresses at Epsilon Data Management LLC (which is used by some of the largest banks and retailers for email marketing blasts) and in April about a breach at Sony Corp. that compromised information on more than 100 million users of that company's PlayStation online game network.
Also, RSA Security Inc., a data security firm used by many of the largest banks and other companies revealed this spring it was breached by hackers (for more information, see "Payment fraud, rising to the challenge," by Patti Murphy, The Green Sheet, April 11, 2011, issue 11:04:01).
Experts tell us many of the most egregious data breaches to date have been the work of organized criminals working from boiler rooms in some of the darkest corners of Europe and Asia. Some are said to be advancing political agendas, but most are in it for money and other material rewards.
From the victims' perspectives the consequential costs of being hacked loom large. The Ponemon Institute, a Michigan-based think tank, estimates data breaches cost U.S. companies about $214 per compromised record. Not included in that figure are indirect costs, like diminution of trust and customer churn.
Among corporate victims of data fraud surveyed last year by Information Security Media Group, 18 percent experienced customer churn.
Meanwhile, Javelin Strategy & Research reported financial institutions have lost more than $590 million in small business clients and revenue opportunities, alone, over the last five years as a result of data frauds and identity thefts involving those clients. Data and identity thefts are costing consumers more, too: $631 per incident in 2010 compared with $387 in 2009, Javelin noted.
Privacy expectations declining
What troubles me most about this situation are the psychological implications. It's as though we've become anesthetized to looming threats of data piracy. No one seems to pay much attention to news of data breaches. And many of us seem to accept frequent card replacements. (One of my cards has been replaced twice in the past year due to possible compromises.)
Remember the hoopla when Heartland Payment Systems Inc. was hacked? Some folks predicted Heartland would be sunk by that incident, yet I don't hear anybody today suggesting Sony or Citi might suffer such a fate.
Growing up in the 1960s, I was made keenly aware of the need to protect individual privacy against encroaching technologies and Big Brother. And one of my first journalism jobs (in the early 1980s) was writing a financial privacy newsletter.
So I was surprised a recent AARP survey found only 36 percent of folks 65 and older who participate on social networking sites use those sites' privacy settings. Some of that can be attributed to ignorance, but I also fear many folks may have given up the ghost of privacy protection.
We live in a world today where information about our individual purchasing habits, online browsing, even our physical whereabouts can be collected, analyzed and used with split-second precision, often without our direct knowledge. Even when we have the opportunity to assess how companies protect our private information, we oftentimes don't.
According to a 2008 survey by the Consumer Privacy Awareness Project, fewer than a third (32 percent) of consumers read carefully the privacy policies of Internet service providers; 30 percent read online retailers' policies and a mere 18 percent read search engine privacy policies. I wonder what percentage of consumers today, if asked, would say they read mobile carriers' privacy policies.
Legislators stepping in
I like the notion of mobile payments. But I have concerns about the security of mobile payments, especially from the merchant acquiring perspective, and the implications that has for individual expectations of privacy. And I'm not alone. In May, two separate U.S. Senate committees held hearings to address privacy concerns raised by mobile technologies.
"The mobile marketplace is so new and technology is moving so quickly that many consumers do not understand the privacy implications of their actions," Sen. John D. Rockefeller, D-W.Va., said at a hearing before the Senate Commerce Committee Subcommittee on Consumer Protection, Product Safety and Insurance.
Rockefeller introduced legislation - the Do-Not-Track Online Act of 2011 - that would empower the Federal Trade Commission to establish procedures consumers can use to stop online tracking of personal information.
In June, Sen. Patrick Leahy, D-Vt., reintroduced an online privacy bill that languished in past sessions of Congress. The Personal Data Privacy and Security Act proposes tough new data security routines for companies that collect and store sensitive consumer information. It also includes a national data breach notification standard, among other things. The Senate Judiciary Committee, which is chaired by Leahy, approved this legislation in each of the last three sessions of Congress.
"The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country," Leahy said in a statement.
Indeed. But let's not forget the issue at hand is personal privacy. As individuals, we have critical roles to play in securing the privacy of our personal information. Mandates and disclosure requirements are meaningless without consumer buy in.
Patti Murphy is Senior Editor of The Green Sheet and President of The Takoma Group. She is also the founder of InsideMicrofinance.com. Email her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.