The Green Sheet Online Edition
August 22, 2011 • Issue 11:08:02
SAFE Data notification bill: Does it go far enough?
On July 20, 2011, the U.S. House of Representatives subcommittee on Commerce, Manufacturing and Trade approved by a voice vote a version of the data breach notification bill. The legislation, the Secure and Fortify Electronic (SAFE) Data Act, is intended to enhance protection of personal information by establishing uniform national standards. If enacted, the SAFE Data Act (H.R. 2577) would preempt breach notification laws in 47 states and require notification of consumers within 48 hours after identifying specific information that was breached, unless the intrusion was inadvertent and unlikely to result in harm.
Data covered by the SAFE Data Act, is restricted to identification codes such as Social Security, passport, driver's license and credit card numbers. However, even with the progress toward a national standard for breach notifications, the legislation seems to give rise to ambiguity. For example, what is an inadvertent breach? If the breached data is just an email address, the argument could be made that an email address is partially sensitive data. When a fraudster cannot pull down credit card or more sensitive personal information, the next best thing is an email address. With an address, a fraudster can start phishing, which is a way of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy entity in an email. If emails are compromised, will that fall under "inadvertent breach unlikely to cause harm"?
Protecting the personal is political
Committee member Rep. Henry Waxman, D-Calif., said, "The biggest loophole in the bill is its definition of personal information. There is no protection for personal emails; no protection for personal photographs and videos stored online; no protection for records of book, video, and other consumer purchases; no protection for records of purchases of over-the-counter drugs, including pregnancy tests; [and] no protection for payroll records." The Federal Trade Commission supports provisions in the SAFE Data Act authorizing the agency to obtain civil penalties for violations. FTC Commissioner Edith Ramirez stated, "Civil penalties are particularly important in areas such as data security, where the commission's traditional equitable remedies - including consumer restitution and disgorgement - may be impractical or not optimally effective."
So far, the new legislation would require companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of data. The law requires notification of affected consumers after discovery of a breach, unless that breach was an innocent or inadvertent breach unlikely to result in harm. Organizations must begin notifying consumers within 48 hours - after taking steps to prevent further breaches and determining who has to be notified.
Laws and compliance rules not enough
This prospective notification law sounds a lot like Payment Card Industry (PCI) Data Security Standard (DSS) and related security standard rules. We all know PCI compliance for our merchants is simply not enough to defend against preventing a breach. Unfortunately, if you meet only the PCI standards, you are still extremely vulnerable.
Take, for instance, a PCI compliant merchant who keys in all transactions through a payment gateway's virtual terminal. In this scenario, the transmission from the keyboard to the computer is not encrypted and transfers clear text data. This is just one example in which being just PCI compliant and taking no extra security measures could result in a breach.
Why not set an industry standard that transactions keyed into virtual terminals must be done through encrypted keypads? By ensuring that every interaction is completely secure, merchants could rest easy knowing that if intruders were to break into their networks, they would have no access to any sensitive credit card or personal data.
Go the extra mile
Fraudsters' favorite way of stealing credit card information is a virus with a key logger embedded so they can monitor and track the keystrokes from infected computers. When merchants use encrypted solutions, even with infected computers, data thieves cannot see anything being keyed into the computers. To show the importance of sensitive information and why we need more uniform laws, here are some appalling statistics from last year. The FTC recently released the list of top consumer complaints received by the agency in 2010. This list once again shows that for the eleventh year in a row, identity theft is still the number one consumer complaint. A total of 1,339,265 complaints were received in 2010; roughly 19 percent were related to identity theft.
An ounce of prevention, a pound of regret
One of the most common questions asked is whether identity theft be prevented. The answer is both yes and no. You and your customers can take measures to protect yourselves and mitigate the risk. The more difficult you make your sensitive and identifying information to steal, the less likely someone will spend time trying to figure it out.
Fraudsters will move on to the next person or merchant who is not protecting him or herself. Criminals look for the path of least resistance. So make sure you, and your merchant customers, keep this in mind when selecting your preventive measures. Within today's payments industry, security needs to be solidified. Merchants and consumers need to feel comfortable when spending money, knowing that their personal information is being taken care of by the policies and procedures in place. Deficits in this regard will cause consumers to spend less. Is legislation going in the right direction?
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.