Full Disclosure

  Alarmed by the sharp increase in identity theft, lawmakers and regulators are turning their attention to the database-security measures of financial institutions and merchants.
  It can be as low-tech as the theft of a laptop computer containing customers' personal information or as high-tech as a break-in to a merchant's database by a hacker using sophisticated software. The end result is the same: the exposure of customers' confidential data that can be used for identity theft and other types of card fraud.
  In most cases, merchants or financial institutions that suffer a security breach don't notify the affected customers, fearing that such an admission will cost them business.
  There is good reason for their concerns. Almost 75% of consumers said privacy and security were very important considerations in their purchasing decisions, according to the 2003 Customer Information Protection Survey prepared by the Tucson, Ariz.-based Poneman Institute for Vontu Inc., an information security firm.
  About 50% of survey respondents stated they would move their business to another company if they did not have confidence in a company's ability to protect their personal data.
  The survey also found that consumers take a three-strike approach to database security, says Doug Camplejohn, vice president of products and marketing for San Francisco-based Vontu. Thirty-one percent said they would cease doing business with a company that had sent out a single notice of a database breach, 65% would cease doing business after two or fewer notifications, and 91% would cease doing business after three or fewer notifications.
  Yet companies' reticence about database breaches, while understandable, can have serious consequences for their customers. Often, the first notice customers have that their confidential data have been stolen is when they see fraudulent charges on their credit card bills, unfamiliar loans on their credit reports or dunning notices from companies with which they never did business.
  The reluctance to reveal a security breach also can cause problems for merchants that unwittingly accept fraudulent cards. Such fraud can lead to increased costs to the merchants in the form of actual losses, penalty fees and higher interchange rates.
  But all that may be changing. A California law (S.B. 1386) requiring companies to notify customers of security breaches of confidential information took effect last July. "The thinking behind the law is really that the notice requirement should be a stick you want to avoid," says Joanne McNabb, chief of the California Office of Privacy Protection. "We don't want to notify people ever other day that something happened to their data, heaven forbid. We want the organization that have the data to review their practices, improve them and protect (the data)."
  A spokesperson for the California Attorney General's office said in mid-February he is unaware of any enforcement action for violations of the law.
  The California law was used by U.S. Sen. Dianne Feinstein, D-Calif., as a model for a bill she introduced in Congress in June 2003. Entities that fail to comply with the bill would be subject to fines by the Federal Trade Commission of $5,000 per violation or up to $25,000 per day while the violation persists. State attorneys general also could file lawsuits to enforce the statute.
  Highjacked Data
  Also at the federal level, banking regulators are putting the finishing touches on guidelines that will force financial institutions to disclose theft of personal data. The guidelines interpret a section of the Gramm-Leach-Bliley Act dealing with the protection of customers' confidential information.
  The FTC and the New York Attorney General also recently took action against merchants that left customers' personal information accessible to the World Wide Web.
  Lawmakers and regulators would appear to have their fingers on the pulse of the public. About 70% of those responding to the Ponemon survey said the government should pass new laws to require companies to notify them when their personal information is stolen or compromised.
  What's responsible for this increase in legislative, regulatory and legal activities is the explosive growth in identity theft fraud over the past five years. Between October 1998 and September 2003, 27.3 million adults were victims of identity theft, including 9.9 million in 2002 alone, according to an FTC survey.
  In most cases of credit card fraud, cardholders are liable at most for $50 in charges. With ID fraud, however, thieves hijack a consumer's personal data to apply for credit cards, mortgages, auto loans and other consumer loans.
  Reclaiming their financial identities takes a heavy financial and emotional toll on victims. According to the FTC survey, consumers reported $5 billion in out-of-pocket expenses tied to ID theft in 2002. And Americans spent nearly 300 million hours resolving problems related to the theft.
  Identity theft losses to businesses and financial institutions totaled nearly $48 billion, the FTC says.
  'Scary'
  There are no statistics on just how many database breaches occur annually. That's because businesses, including merchants and card issuers and acquirers, are unwilling to admit that their security systems for protecting consumers' confidential information failed. But most observers believe it is taking place at an alarming rate.
  CardCops.com saw on average about one hacking incident a day last year, says Dan Clements, chief executive. "If we're only seeing one a day, how many really are out there?" he asks. "It's really kind of scary on what the actual numbers are."
  CardCops sells an early-warning service that notifies cardholders if their credit card and personal data are compromised.
  To be sure, there are financial institutions that bit the bullet and notified customers that their financial information had been compromised. In two cases-Bank Rhode Island and Wells Fargo Bank-the banks went to great lengths to not only contact customers but to advise them on how to deal with the situation.
  Bank Rhode Island in December contacted customers after the theft of a laptop computer that potentially included 43,000 names, addresses and Social Security numbers. The laptop had been stolen from an employee of Bank Rhode Island's data service provider, Fiserv Inc.
  Notifying customers "was the right thing to do," says Merrill Sherman, president and chief executive of the Providence, R.I.-based bank. "We treated our customers the way we would have wanted to be treated. If you're someplace where your name, address and Social Security number may have been disclosed, you certainly would want to know to be on the alert."
  Heightened Awareness
  In addition to sending notices to customers, Bank Rhode Island also set up a hotline for customers to speak with bank representatives. It also gave customers access to credit-reporting agency TransUnion so they could review their credit histories and discuss ways to prevent fraud. And it posted on its Web site answers to frequently asked questions about the security breach.
  "We thought the better approach was to be proactive," Sherman says. "The thing that helped us in the decision ... was the fact that we could actually recommend something positive for the customer to do."
  Bank Rhode Island also contacted federal banking regulators for advice on how to handle the situation. "I (am) supportive of disclosure," Sherman says. "If anything, it just heightens the awareness that this is an all-too-common problem."
  The response from Bank Rhode Island customers was "generally positive," Sherman says, adding that the bank received only a "handful" of complaint letters. Despite the response, Sherman says "the preference would have been for (the security breach) never to have happened."
  At Wells Fargo, the personal data of some customers were put at risk in November when a burglar made off with a computer containing confidential information. Wells issued a press release announcing the theft and offered a $100,000 reward for information leading directly to the arrest and conviction of the responsible individuals. Police arrested a suspect several days later, and authorities said they believed all the information had been safely recovered.
  Wells took a number of measures in the wake of the theft, including monitoring affected accounts for unusual activity and confirming that the customers were the owners of the account at every contact. Wells also said customers would not be affected financially for any unauthorized activity.
  Paying Attention
  In addition, Wells changed customers' personal account numbers, paid for a one-year membership in a credit-monitoring service, and set up a special toll-free number for affected customers to contact. The bank also added a credit-reporting alert to customers' credit files through Experian Inc.
  But Bank Rhode Island and Wells Fargo are the exception. That's what is prompting lawmakers and regulators to take steps to force disclosure of database break-ins. Financial institutions "definitely pay more attention to protecting customer data when external regulations are in place," Camplejohn says.
  The Federal Trade Commission's approach is to hold online merchants liable for database breaches. In one high-profile case in August, the FTC reached a settlement with Guess Inc., the designer clothing and accessory marketer, over FTC charges that the retailer misrepresented the security of its Web site, leaving customers' private information exposed.
  The FTC began reviewing Guess security after a consumer in February 2002 broke into the Web site using a commonly known method, so-called structured query language. The consumer gained access to data, including name, credit card number and expiration date, from about 200,000 accounts. The card information accessed was not used for fraud. The FTC said Guess falsely told visitors to its Web site that it stored such data in an "unreadable, encrypted (form)."
  Under the settlement, Guess implemented a comprehensive information security program for its Web sites. The settlement also prohibits Guess from misrepresenting the extent to which it maintains and protects the personal information collected from consumers. Violation of the settlement could result in a fine of $11,000 for each incident.
  A similar incident involving the Web site of Columbus, Ohio-based women's apparel retailer Victoria's Secret Direct LLC ended in a settlement with New York Attorney General Eliot Spitzer in October. Spitzer's office began investigating how the company protects consumer data after a customer gained access to other customers' personal information, including name, billing address and items ordered. The retailer inadvertently left the information accessible via the Internet, in violation of its published privacy policy.
  Under the settlement, Victoria's Secrets agreed to improve the security of its Web site, including hiring an external auditor to monitor compliance with the security program. The settlement also required the retailer to pay $50,000 to the State of New York as costs and penalties as well as give gift certificates or credits to the affected customers.
  There is no evidence that these breaches led to fraudulent use of the information, but they highlight just how vulnerable some merchants' Web sites are, observers say.
  'Conspiracy'
  For their part, some merchants last May tried to force Visa USA, MasterCard International, American Express Co., and Discover Financial Services to disclose security breaches. In a class-action suit, the group of merchants contended the card companies failed to take appropriate measurers to address fraud and theft on the Internet and in the mail- and telephone-order industries.
  Also named in the lawsuit, filed in the U.S. District Court for the Eastern District of North Carolina, were Visa's and MasterCard's thousands of issuing and acquiring members.
  The suit charged the card companies are violating the Racketeer Influence and Corrupt Organizations Act (RICO) and other laws by conspiring to commit fraud and theft when processing merchants' Internet and mail- and telephone-order transactions. Their motive, the suit alleged, was increased revenue from penalty fees and higher interchange fees charged to e-merchants and other merchants in the card-not-present category.
  As evidence, the merchants alleged that the card companies didn't inform online merchants of stolen credit card account numbers. Mark W. Ishman, attorney for the merchants, cited an incident in February 2003 in which a hacker stole 13 million account numbers. The card companies elected not to cancel these cards but just monitor them, Ishman said at the time the lawsuit was filed.
  The merchants withdrew the suit in October, Ishman says, without giving a reason why.
  If successful, the suit might have forced issuers and acquirers to notify merchants of stolen account numbers.
  The Right to Know
  Meanwhile, Feinstein's bill is wending its way through Congress. In testimony before the Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security in November, Feinstein said that she strongly believes "individuals have a right to be notified when their most sensitive information is compromised-because it truly is their information. And they have the right to decide what actions they want to take once a breach has been discovered."
  What's more, the West Virginia Legislature is considering a bill, introduced Jan. 14, that would limit merchant liability for credit card fraud over the Internet to $250 unless the issuer cooperates in investigating the fraud and prosecutes the persons committing the fraud. The bill-sponsored by state Sens. Jon Hunter and Anita Caldwell-also would require credit card companies to make annual reports to the state attorney general on prosecutions of credit card fraud cases against businesses in the state.
  For their part, financial institutions and merchants contend that reporting every breach of security, including those unlikely to result in fraud, would not only be costly but could give the false impression that their Web sites are vulnerable to fraudsters.
  "If (financial institutions) start sending three, four, five notices to their customers saying 'we suspect your information may have been breached but we don't know for sure,' ultimately that's going to affect them even if they have taken all the reasonable security measures they could take," Vontu's Camplejohn says.
  Consumers, too, say they don't want to be contacted every single time there is the possibility their confidential data have been exposed, but only in situations where there is a real danger the information will be used fraudulently, according to the Ponemon survey. "They want a pretty high degree of confidence that their information might be at risk," Camplejohn says.
  Concerns about database security can only grow, fueled largely by the sharp increase in identity theft. The hope is that disclosure laws and regulations will force financial institutions to take a harder look at their database security systems and practices.