Wednesday, June 29, 2005

California Attacks Identity Theft

After the recent high-profile break-ins at various third-party information collectors due to lax security, California has stepped up to the plate. It is the only state in the United States that legally protects consumers from identity theft by forcing information services to notify their customers when a theft occurs and secure that information with regulated safeguards.

According to TechRepublic, California recently went a step further, protecting also local merchants and customers who were unsure their information could be used:
The class-action suit was filed in California Superior Court in San Francisco against CardSystems Solutions, Visa and MasterCard on behalf of California credit card holders and card-accepting merchants, according to a copy of the suit.

The lawsuit accuses the companies of violating California law by neglecting to secure credit card systems and by failing to inform consumers in a timely manner about the security breach at payment processor CardSystems, which was disclosed publicly on June 17 by MasterCard.
In the break-in, intruders got access to details on about 40 million credit cards. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Despite this, credit card companies have said they would
not notify customers unless the accounts are actually abused.

The lawsuit asks for CardSystems, Visa and MasterCard to inform consumers whose personal information was exposed and give special notice to those whose data was confirmed stolen. All involved should also get access to a credit-monitoring service, according to the suit.
It's amazing to me how much of this could have been prevented if 1) credit card companies had monitored the storage companies they used and 2) these storage companies had encrypted the data. The claim that this would slow down information retrieval is valid, but surely personal financial information should have the highest security to prevent its theft. There are only so many ways you can protect a system, but if the data inside that protection is encrypted properly, there is no way it can be used.


Post a Comment

<< Home