former employee of U.S. Bancorp's NOVA Information Systems Inc., a billion dollar bankcard acquirer, has accused the company of negligent security and safeguard measures that allegedly may have compromised 1 billion credit card and Social Security numbers of up to 1 million business owners.

Nell Walton, a former NOVA database administrator, also has claimed that the chain of command at NOVA retaliated against her for voicing these concerns. She said NOVA's actions "created a hostile work environment and were part of a great culture of secrecy and fear" and that the hostility eventually forced her to leave the company in March 2005 for medical reasons.

A NOVA spokeswoman said the company cannot comment on any past or pending legal actions or on the status of any employee. She did, however, say, "We have passed all of the Visa and MasterCard PCI [Payment Card Industry] Data Security Standards and are currently in compliance."

Walton said she became aware of the alleged data security issues early in 2004 while assisting with a project to bring NOVA into compliance with Visa's Cardholder Information Security Program (CISP).

As Visa's Sep. 30, 2004 compliance deadline drew closer, Walton's "security concerns," as stated in her complaint, "led her to begin researching requirements for 'CISP' compliance." She said these concerns resulted from supervisor Frank Erjavec's failing "to follow code change procedures and timelines."

On June 6, 2004 Walton met with her immediate supervisor to discuss the issue. Several weeks later she met with NOVA Executive Vice President Erik Toivenen "at his request in response to questions and concerns that she had raised by e-mail," the complaint states. It also states that on Nov. 2, 2004 Erjavec was "found to have affected an unapproved database change ... outside of the procedures and approval described in the Change Control Process," for CISP compliance.

Evan Hendricks, Editor of the Washington D.C.-based newsletter "Privacy Times," covered the story in his publication ("Ex-Employee Alleges Lax Security at Card Processor," Vol. 25, No. 20, Oct. 25, 2005). In his article, Hendricks quoted Erjavec as saying, "'I don't think her charges are valid at all. We are Visa- and MasterCard-compliant. We are audited all the time. If you want to be in business with Visa and MasterCard, you have to take security seriously.'"

Visa's current list of CISP-compliant companies (dated Oct. 25, 2005 at press time) shows NOVA being compliant as of Nov. 30, 2004, with annual audit results due Nov. 30, 2005. Walton originally filed a complaint in April 2005 under the Sarbanes-Oxley (SOX) Act; the complaint included both data security and whistle blower protection issues. Designed to curb corporate financial and securities fraud, the Act includes a provision meant to protect whistleblowers in financial industries from discrimination by their employer.

A whistleblower complaint begins with an investigation by the Department of Labor's Occupational Safety and Health Administration (OSHA). Before OSHA heard Walton's concerns, she retained the services of whistleblower attorney Thad Guyer of Oregon-based Whistleblower Defenders and refiled a formal version of the complaint. However, OSHA dismissed Walton's complaint in August saying it did not fall under SOX guidelines.

She appealed OSHA's decision to the Department of Labor's Office of Administrative Law Judges (OALJ) at the end of August.

The complaint and appeal have been consolidated into one case before the OALJ. If a decision is not reached within a 180 days, Walton can go to the federal appellate courts. She is seeking reinstatement and damages of $1 million. However, the current OLAJ proceedings only address whether she is entitled to these protections under SOX. Whether or not NOVA's systems are secure is unrelated.