The Green Sheet Online Edition
September 12, 2011 • Issue 11:09:01
Identity theft: It's not just PCI anymore
All business entities are obligated to know what regulations apply to their businesses and take all reasonable measures necessary to secure the data their customers entrust to them.
Identity theft is the number one concern of consumers and therefore one of regulators' highest priorities. Each state and many industries (including banking and health care) have their own requirements over and above federal regulations.
In the merchant services industry, the Payment Card Industry (PCI) Data Security Standard (DSS) is now a household phrase. Your merchants are reminded monthly about PCI when they get their statements and see the monthly or annual fees assessed for "PCI compliance."
The PCI DSS is managed by the Payment Card Industry Security Standards Council, which is comprised of experts in the field that define the standard that all card brands adhere to and establish their programs around. The programs include Visa Inc.'s Cardholder Information Security Program, American Express Co.'s Merchant Data Security Standard and MasterCard Worldwide's Site Data Protection.
The power of PII
Identity theft is the loss of personally identifiable information (PII) that leads to the utilization of that data for fraudulent purposes. The following are currently identified as PII: Social Security numbers, dates of birth, driver's license numbers, credit and debit card numbers, and check routing and account numbers.
However, the definition and therefore the points of data that must be protected are expanding. For example, on Feb. 10, 2011, the California Supreme Court ruled that a ZIP code is a form of PII and must be protected under various California laws. In addition, Internet Protocol addresses may also be considered PII.
The PCI DSS is just a small part of the picture. It addresses "cardholder" data: credit and debit card numbers - period. But what about all the other PII a business may have stored, processed or accessed such as customer or employee data with names, addresses, phone numbers, possibly Social Security numbers, bank routing and account numbers, email addresses, and financial or health information?
All this data is considered private information, and the PCI DSS deals with only one small subset of PII.
Numerous state and federal regulations address PII security. Why should your merchants care? Because if they don't, there could be significant business and personal repercussions - and not just if their systems are compromised.
The Federal Trade Commission takes its role of protecting U.S. consumers seriously. Many state regulations are even more stringent than those of the FTC, and the state attorneys general are actively pursuing businesses that fail to properly protect consumer data.
Companies found to be in violation of state regulations face stiff sanctions, often significant monetary fines with requirements to implement controls and, in many instances, ongoing reporting to the regulatory authority, often for many years.
Case studies: A pound of cure
To quote Benjamin Franklin, "An ounce of prevention is worth a pound of cure." Here are some case studies that illustrate "the pound of cure" that could have been avoided with prudent, proactive prevention and adherence to federal and state regulations in addition to the PCI DSS.
Regarding the cases involving the FTC, the filing of a complaint is authorized when the FTC has "reason to believe" the law has been or is being violated, and it appears the proceeding is in the public interest. The complaint is not a finding or ruling that the defendant has actually violated the law. The stipulated order is for settlement purposes only and does not constitute an admission by the defendant of law violation.
In addition, a consent order issued by the FTC carries the force of law and civil penalties of up to $16,000 for each violation.
Penalties for selling marketing lists: FTC fines Teletrack
The FTC reported in June 2011 that credit reporting agency Teletrack Inc. "agreed to pay $1.8 million to settle charges that it sold credit reports to marketers in violation of the Fair Credit Reporting Act (FCRA)." As a credit reporting agency, Teletrack is bound by FCRA regulations. The company, however, allegedly chose to sell its list of customers for marketing purposes. Seems fairly harmless, doesn't it? Companies sell their customer lists all the time for "marketing" purposes.
However in this case, Teletrack included financial data, which is considered sensitive and is subject to more stringent controls. If Teletrack wanted to sell this information for marketing purposes, it would have had to have gotten express consent from its customers to do so. Because Teletrack did not get express consent, it was investigated by the FTC and faced the following sanctions in addition to the $1.8 million penalty. It must:
- Provide written reports detailing the manner in which the company has complied with the court order annually for three years
- Maintain lists of all entities the company supplies consumer reports to, copies of all training materials related to the collection and sale of consumer reports, and documentation demonstrating full compliance with the court order for six years
- Provide a copy of the court order to all officers, vice presidents, directors, managers, employees, agents and representatives for three years
(FTC File No. 102-3075; Civ. No. 1 11 CV-2060
Penalties for misleading consumers: FTC settlement with Chitika
Also in June, the FTC finalized the order "settling charges that online advertising company Chitika Inc. tracked consumers' online activities even after they chose to opt out of online tracking on the company's website."
It appeared to customers visiting Chitika's website that the company was abiding by FTC regulations to provide customers the ability to opt out of having cookies installed on their hard drives for marketing purposes.
And while Chitika did offer an opt-out option, apparently it expired after 10 days.
This detail was not disclosed to customers, who would reasonably assume the opt out would be upheld for months or years, not days. As a result, the FTC ordered Chitika to do the following:
- Not misrepresent the extent to which consumers may exercise control over and the extent to which data is collected, used, disclosed or shared
- Provide a clear and prominent notice on its website providing an opt-out option for the collection of customers' activities
- Notify customers who had previously opted out that their choice had expired and provide them the opportunity to renew their opt-out choice
- Ensure that every targeted ad includes a hyperlink that takes consumers to a clear opt-out mechanism that allows consumers to opt out for at least five years
- Destroy all identifiable user information collected when the defective opt out was in place
(FTC File No. 102-3087; Docket No; C-4324)
Penalties for not protecting sensitive data: Texas Attorney General v. Life Time Fitness
Life Time Fitness Inc., a Minnesota-based health club chain, was investigated by the Texas Attorney General in response to a complaint that the company did not safeguard the large amounts of sensitive personal information it collected from customers, including Social Security, driver's license and credit card numbers.
Investigators found hundreds of documents in dumpsters adjacent to the fitness center facilities containing this sensitive personal information. Additionally, Life Time Fitness' privacy and security notices provided to its customers indicated the company would safeguard customers' private information.
Due to the egregious nature of these violations, Life Time Fitness faces fines up to $50,000 for each violation of the Texas Identity Theft Enforcement and Protection Act and up to $25,000 per violation of the state's Deceptive Trade Practices Act (actual fines imposed are not known at this time).
Source: Texas State Attorney General,
These are just a few examples of the types of situations companies may find themselves in, illustrating the need to make sure your merchant customers:
- Are aware of the regulations regarding the safety and security of any personal data their company collects or has access to in the course of doing
- Have in place proper security processes and procedures
- Enforce security processes and procedures with all employees that come into contact with the data.
Linda Grimm, Certified Information Privacy Professional (CIPP), is Senior Consultant, and Ross Federgreen, CIPP, is the founder of CSRSI, the leading payment and privacy consulting firm. Linda can be reached at firstname.lastname@example.org; Ross can be reached at email@example.com. For more information or assistance in learning about the regulations as applicable to your or your merchant customers' business, contact CSRSI at 866-462-7774 or online at www.csrsi.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.