Bank of America Corp. is coming under fire for failing to notify people for two months that it had lost personal data on more than a million customers.
The customers were federal employees who used the U.S. General Services Administration SmartPay charge cards. The incident has sparked calls for hearings on identity theft.
"The wholesale loss of vast treasure troves of personal information is a new type of problem that requires us to fundamentally rethink how we approach data security and privacy," Sen. Patrick Leahy said in a press release issued Friday.
The Vermont Democrat is the Senate Judiciary Committee's ranking member and one of his staffers was among those whose information was compromised.
Sen. Leahy decried the incident on the Senate floor Monday. "This is one of the dumbest things I've ever seen," he said during debate on the bankruptcy bill. "I'd hate to be a customer of Bank of America and wake up in the morning and find they were so stupid and so negligent they lost your information. They ought to be ashamed of themselves."
He said the committee plans to hold hearings on the security concerns posed by the loss of large blocks of consumer information.
Bank of America said Friday that several computer data tapes containing personal information of 1.2 million customers were lost in December while being shipped to a data center. The Charlotte company said it had seen no evidence that the tapes had fallen into criminal hands or that the customer data had been misused.
A week earlier the data storage firm ChoicePoint Inc. of Alpharetta, Ga., said that in October criminals impersonating businesses had obtained information on 144,778 people.
California is the only state that requires companies to disclose when consumer information has been compromised. In early February, ChoicePoint at first told only the 34,000 California residents who were affected by the incident. On Feb. 15 it disclosed the much larger extent of the problem.
Thirty-eight state attorneys general signed a letter to the company saying, "We insist that ChoicePoint take immediate corrective action to notify all citizens of our states who have or may have been affected by this breach."
Avivah Litan, a vice president at Gartner Inc. and a research director with the Stamford, Conn., market researcher, said of B of A and ChoicePoint: "Who are they to play God with my information? They're making the decision that Avivah Litan doesn't need to know her Social Security number was stolen for a few months."
B of A spokeswoman Alexandra Trower said the company was unable to disclose the loss sooner because the Secret Service was looking into it. "An investigation was ongoing," she said.
But Ms. Litan said it seemed odd that Bank of America or ChoicePoint might have been barred from revealing that they had lost personal details about so many people, especially since the California law requires just such notification.
The statute permits a delay in notifying customers "if a law enforcement agency determines that the notification will impede a criminal investigation."
However, Ms. Litan said B of A and ChoicePoint waited too long. "I can understand a week or two. Did they really need two months?"
If companies disclose the theft or loss of consumer information immediately, the worst that will happen is that criminals would "just hang on to the information and not use it right away, and that's a good thing, I think," Ms. Litan said.
The California law requires the timely disclosure to customers when their personal information has been lost or stolen, but "if you encrypt data, you don't have to notify," Ms. Litan pointed out.
The best way for banks to protect their customers from theft - and themselves from embarrassment - is to encrypt the data so that it is useless to anyone but the intended recipient, Ms. Litan said.
Ms. Trower said that though the information on the B of A files was not encrypted, "you'd have to have a combination of highly sophisticated hardware, software, and specific operator knowledge" to be able to access the information, which is itself "structured in a highly fragmented way."
Sophie Louvel, an analyst at the Framingham, Mass., research firm Financial Insights Inc., a unit of International Data Group Inc., agreed that faster notification is important. "Banks have to be the first ones to help the customers get their accounts secure and get their lives back," she said.
She said this is because the damage to consumers and to banks can spread rapidly. "Typically, criminal organizations that do this sort of thing haven't done it just once. The pattern is repeated."
The Identity Theft Assistance Center in Washington, which informs other affected banks when a customer at one bank spots a potential identity theft, says ID thieves often open more than nine new accounts under a single victim's name.
Ms. Louvel said good encryption methods "are fairly effective" for transmitting information electronically and could have prevented the Bank of America loss. "This whole tape thing" at B of A "is a little bit of an archaic system," she said. "You should be able to send that securely over a secure link."
Rob Blackwell contributed to this story.
