Identifying Solutions To Identity Theft:
Government and Banking Industry Step Up Efforts To Prevent Data Breaches
By Katie Curnutte
Identity theft is getting more publicity than ever as missing tapes containing consumer data and mistakes plague not only the financial industry, but other industries that store account numbers and Social Security numbers.
Since the 2003 data theft from BJ’s Wholesale Club – the first major data breach that affected New England customers and banks – the state of Connecticut, the federal government and the banking industry have been stepping up efforts to prevent such breaches. Last year, Gov. M. Jodi Rell formed a task force to address identity theft issues. The ensuing report is meant to outline different ways to deal with the problem. State Senator Bob Duff, D-Norwalk, co-chairman of the Banks Committee, held a hearing on data breaches earlier this year to help inform other legislators of the problem. Regionally, bank trade associations, including the Connecticut Bankers Association, have formed the New England Debit Card Task Force. The Task Force has recommended several important rules changes to MasterCard and Visa and developed a debit card best-practices guide for the industry.
Federally, legislators are seeking to regulate the non-financial industries that store consumer data, but which are not yet regulated.
The efforts have been working and banks are more secure, according to John Green, the information security manager for Fiserv VISION in Wisconsin. Green was one of the experts that the Connecticut Bankers Association called upon to testify at Duff’s hearing.
“Although there have been a number of data breaches announced over the last year, bank customer data is more secure now than it has ever been,” Green said. “Existing regulations are working. Due to intense scrutiny by examiners, financial institutions have no choice but to take computer and information security seriously.”
Some of that increased security at banks is due to some federal laws that have regulated consumer information.
“The federal government has been looking at this for a couple of years,” said Greg Mesack of America’s Community Bankers.
Legislation has been passed in Washington updating the Fair Credit Reporting Act. The new legislation known as the FACT Act allows consumers to view free credit reports and to place fraud alerts on their accounts if they suspect any illegal activity.
“Now they’re continuing that as they look at legislation addressing data breaches,” Mesack said.
Of concern is the simple issue of committee jurisdiction, according to Gerry Noonan of the CBA. There are four major data breach legislative proposals currently under review in Washington by four different committees. The industry currently favors H. R. 3997, being considered by the House Financial Services Committee, as it provides that the federal functional regulators would maintain their jurisdiction over the industry on this issue.
Data Protection: A Two-Part Process
Regulations are important because the majority of data breaches in the financial industry are due to lost tapes or lost or stolen laptops, and not hacking, according to Green.
“Compare this to unregulated areas such as higher education and universities and the picture is almost the complete opposite – the majority of announced breaches are due to systems being hacked,” he said. “In response, most financial institutions are exploring ways to encrypt tapes and laptops so that their loss will not result in exposure.”
The newest federal laws will likely affect companies other than financial institutions, which are already regulated by the Gramm-Leach-Bliley Act. And lately, the most egregious breaches have to do with non-financial institutions, like retailers, Mesack said.
There are two parts to protecting data, according to Mesack. One is the actual protection. The other is how to notify customers when there is a data breach.
Some ideas have been to allow customers to freeze their credit reports. Connecticut has done that, but it is a controversial measure nationally.
“That’s an ongoing discussion,” Mesack said.
Connecticut’s law, which was enacted this year, allows customers to freeze their credit, thereby preventing others – including banks – from gaining access to the report without permission from the customer. The law also requires businesses, after consultation with law enforcement, to promptly notify consumers in the event of a security breach.
Another concern for banks is the cost of cleaning up a data breach – particularly when the breach was not the bank’s fault.
The CBA, in conjunction with the New England Debit Card Task Force, has been working with America’s Community Bankers and the other national bank trade associations to institute a system that will make the party responsible for losing the data also responsible for reimbursing banks for all of the costs associated with the replacement of their cards.
The CBA is currently conducting a survey of its members in an effort to get a more accurate picture of how much it costs to reissue the card, including staff research and customer contact time, replacement cards, postage and handling, etc. According to preliminary information from the ACB, it can cost a bank $15 to $30 to reissue each card.
“While there are some mechanisms in place through card associations, such as MasterCard, those mechanisms are cumbersome and imperfect,” according to documents from the ACB. “In addition, they do not cover instances such as the Lexis and Choice Point where the responsible parties have no relationship to the card associations.
“In order to ensure that banks are fully reimbursed for the thousands of dollars they often spend ensuring that their customers are protected from identity theft and fraud, there must be part of any comprehensive data security legislation a provision mandating that those who are responsible for breaches must pay for the costs of protecting customers put at risk for the breach.”
Another major concern for the banks, according to Noonan, is reputation risk. Since banks are not allowed to divulge where or under what circumstances there was a breach, customers are often left with the false presumption that the bank experienced the problem. This issue is not currently addressed in any of the federal legislative proposals but is one of the top messages we deliver on our visits to Washington, said Noonan.
Leveling the Playing Field
In Connecticut, the governor’s task force issued a report in January making recommendations for state-centered changes.
The task force was made up of law enforcement professionals and people from the insurance and banking sectors. The group quickly found unbalance in the way data breaches can be investigated.
“The immediate need … was to attempt to level the playing field with respect to the ability of law enforcement to arrest and prosecute people attempting identity theft and other types of fraud,” said Barry Abramowitz, senior vice president and chief information officer of Liberty Bank, who served on the task force on behalf of the CBA.
The task force’s first recommendation was to define identity theft. The recommended language is, “A person commits identity theft when such person intentionally obtains personal identifying information of another person without the authorization of the other person and knowingly uses that personal identifying information of another person to obtain or attempt to obtain money, credit, goods, services, property or medical information in the name of such other person without the consent of such other person.”
Another step the task force recommended was to identify tools used for identity theft – like swipe machines or credit card generation equipment – and make it an offense to own them.
The task force also found that federal authorities have more power to subpoena than do states. So if a case is not a federal offense, the states have limited power. It recommended that the state upgrade the crime of criminal impersonation from a class B misdemeanor to a class A.
The task force also made recommendations on consumer education. State banking Commissioner John P. Burke offered some funding for more education. Banks already do a great deal, but the task force suggested the addition of an aggressive media campaign and a state Web site on the issue.
“Overall, the task force was responding to a specific issue the governor raised,” Abramowitz said. “Things are moving in the right direction.”
But there are still some steps banks can take to further protect themselves and their customers, Green said.
“Because we are doing a better job securing financial institutions, the hacker target has become the banking customer’s home PC,” he said. “Keystroke loggers, spyware and other forms of malware are being created to steal personal financial and identity data directly from the source. In figurative terms, it is easier to stand on the street and pick pockets than it is to break into a vault.
“Forward-thinking financial institutions will be adjusting their Web sites to market security and help educate their customers,” continued Green. “They should be considering highlighting security threats and safeguards that customers can implement on their home PCs and while performing online banking.”