Bracing for the New Privacy Laws

Computerworld - One would think that, some eight years into the Internet age, enlightened self-interest would have motivated financial services and e-commerce vendors to put a higher value on maintaining the integrity of customer data. But companies' seeming inability to follow a consistent and reliable security model for the use of customer data, and the secretive approach taken to handling credit card security breaches, have helped create a consumer backlash - and a torrent of state and federal legislation.

The latest regulatory salvo, California Senate Bill 1386 (SB 1386), becomes law July 1, and more regulations are coming. The law requires companies to disclose any compromise of customer data to every affected consumer residing in California within 48 hours. And if you don't have up-to-date contact information for those consumers, you must post a notification on your Web site—the e-commerce equivalent of a scarlet letter.

Financial services companies worry that the negative publicity associated with disclosing data compromises could wreak havoc with consumer confidence in both e-commerce and the financial services industry. Consumer fears have been fueled by a string of high-profile data losses, including the compromise of some 8 million credit card numbers at card processor Data Processors International Inc. (DPI) last February. Most of the affected card associations' member banks didn't notify affected customers, despite the possibility that those numbers could be used in conjunction with so-called skip-trace database services online to gain enough information for identity theft.

E-commerce vendors, left in the dark about which card numbers were affected, had to make doubly sure they were checking card verification codes to protect themselves against chargebacks. Fear of negative publicity has kept the issue under wraps. Fear of legal penalties and lawsuits under new laws will now push the issue to the forefront as never before.

In the case of credit card number theft, card associations do provide security guidelines to merchants and banks, but not all organizations abide by them, says Julie Fergerson, chairman of the Merchant Risk Council in New York. "If DPI had done the [MasterCard] Site Data Protection program ... the break-in never would have occurred," she says. Now legislatures have stepped in to enforce change.

That leaves IT professionals to struggle with the intricacies SB 1386 and similar federal legislation, called the Database Security Breach Notification Act, that Sen. Dianne Feinstein (D-Calif.) introduced last week. Bills pending in the Senate include the Social Security Number Misuse Prevention Act and the Privacy Act, which prohibit the display, sale or purchase of Social Security numbers and other personally identifiable information without the consumer's permission. Another bill, the Identify Theft Prevention Act, would prohibit the printing of full credit card numbers on receipts.