That’s not something you want to tell your customers. Which is why you should care about legislation that determines when you have to.

By Jack Gordon

Woe unto the direct response marketer who fails to protect sensitive customer data-the kind of information that could allow customers to fall victim to credit-card fraud or identity theft. In 22 states, as of March, consumer-privacy laws now require merchants to notify customers of security breaches. And federal legislation is in the works. No matter how carefully that notification is worded, here is essentially what the retailer must tell perhaps thousands of its customers:

“Hi. Remember when you trusted us with your credit or debit card number and maybe other information that could hurt you if it fell into the wrong hands? Well, your trust was misplaced. We lost your data. A hacker got into our system, or a dishonest employee sold it to an identity-theft ring, or our backup tapes went missing-whatever. In any case, aren’t you glad you did business with us?”

As if that weren’t penalty enough for a merchant, some bills proposed at the federal level include provisions for heavy fines and even jail time for retailers and other businesses that suffer security breaches, says Bill McClellan, director of government affairs for the Electronic Retailing Association (ERA). “I can understand [civil or criminal penalties] in a situation where somebody didn’t take any steps to protect data or comply with the law,” McClellan says. “But the idea of liability for retailers despite their best efforts isn’t appealing.”

Like most business organizations with similar concerns, McClellan says, ERA favors a national consumer-privacy law that would supercede state legislation, giving retailers a single rulebook to abide by, as opposed to dozens of laws with provisions that vary from state to state. But any such federal legislation should be carefully crafted. Along with most business interests, he says, ERA favors the Consumer Privacy Protection Act known as the Stearns Bill, named for Rep. Cliff Stearns (R-FL), over more draconian bills now smoldering in Congressional committees.

The stakes are high, and the variables are complex. But for DR marketers, the key issues boil down to a handful of questions: What’s with all this state and federal privacy legislation all of a sudden? What constitutes “sensitive” consumer information? What penalties will I face if I lose that sensitive information? And how can I protect it-or at least reduce the risk of losing it?

THE CHOICEPOINT CASE
California was the first state to react to concerns about identity theft with a security-breach disclosure law, in effect since 2003. Though that law affected national retailers doing business with California residents, privacy protection was a back-burner issue in most of the country until February 2005. That’s when ChoicePoint Inc. acknowledged that it had gotten a little careless with the records of more than 163,000 consumers.

ChoicePoint, an Atlanta data broker, is in the business of selling consumer information to other companies-including names, Social Security numbers, birth dates, employment information and credit histories. ChoicePoint claimed to have a rigorous screening system that ensured this data was sold only to reputable businesses. In fact, an investigation revealed that the screening process was appallingly slipshod. At least 800 cases of identity theft were documented. So egregious was the company’s disregard for who was buying its data that in January 2006, ChoicePoint agreed to pay a record civil penalty of $10 million, plus $5 million in “consumer redress,” to settle a complaint by the Federal Trade Commission (FTC).

According to the nonprofit Privacy Rights Clearinghouse (privacyrights. org), it was the ChoicePoint case that turned disclosure into a hot-button issue, prompting 21 other states to pass laws similar to California’s and lighting a fire in Congress for a national security-breach notification law. Disclosure of breaches by companies, universities and other organizations has become far more common in the past year, adding fuel to the fire. The Clearinghouse says that since February 2005, more than 53 million Americans have had their personal information “compromised” in some way. Notorious cases include the loss of a backup tape by Bank of America (1.2 million consumers) and a password breach at LexisNexis (about 300,000 consumers).

WHAT’S ‘SENSITIVE?’
But wait. What constitutes information about consumers that is “sensitive” enough to expose them to a real risk of identity theft, and thus, trigger a law’s notification provision? If a company merely loses a list of names and addresses-information that could be found in any phone book-should it be required to send out thousands of notification letters? And are consumers really well served when they receive such letters, or are they spooked for no reason?

Or suppose the “compromised” information is encrypted so that a thief can’t read it? Or what if it is compromised in name only, under circumstances highly unlikely to result in any cases of identity theft, as when, during a move, AOL lost a backup tape that could be read only by a particular machine?

Those are issues that lobbyists for ERA and other business organizations have been fighting to get Congress to recognize. The fear, according to ERA’s Washington lobbyist, Jim Davidson, is that national legislation could be modeled on California’s law, which has low “trigger points” for customer notification. That is, companies are required to notify customers of a security breach even if the lost information is not particularly sensitive or if its loss is unlikely to result in fraud or identity theft. At the national level, Davidson says, he and other advocates have focused their attention on the Stearns Bill, with considerable success. “[The bill is] a lot better now than what we started with,” he says.

Social Security numbers, bank account information, passwords and so on obviously qualify as “sensitive,” Davidson says. But names, addresses and even credit card numbers should not, he argues-unless the credit card information also includes the card’s expiration date or its security code. And even if sensitive information is lost, notification should not be required unless there is a reasonable expectation that identity theft might occur. Is the data encrypted? That should count for something, he says. Depending on the circumstances, the loss of encrypted data should not necessarily trigger a law’s notification requirement.

As currently written, the Stearns Bill takes those issues into account, Davidson says. He urges ERA members to contact their national legislators in support of the bill.

PROTECTING YOUR DATA
Regardless of what state and federal legislation may require, the best way for a retailer to avoid trouble is to avoid losing customer information in the first place. When it comes to identity theft, experts say that careless or dishonest employees are a greater threat than hackers or other computer criminals (see “Identity Crisis” feature on page 38 in the April issue). This means that, regardless of the encryption services, firewalls or other technological safeguards a retailer has in place, any security program must carefully restrict the number and type of employees who have access to unencrypted data.

Encryption and system protection obviously are vital first steps, however. In online sales, security begins with the web transaction itself, which should be encrypted via secure sockets layer (SSL) or transport layer security (TLS) technology. The largest provider is VeriSign Inc. of Mountain View, Calif., which certifies and enables e-commerce transactions on almost 60,000 web sites. A seal such as VeriSign’s also assures buyers that the site is legitimate and not a bogus version set up as part of a “phishing” scam, says Tim Callan, the company’s group product marketing manager. He says prices for basic SSL protection start at $349 per server per year.

But a common mistake among retailers is to “confuse transaction security with data security,” says Karim Toubba, vice president of product management for Ingrian Networks of Redwood City, Calif. The fact that a web transaction is encrypted does not mean that the data stored in the retailer’s system after the transaction is likewise encrypted. Ingrian Networks specializes in protecting this stored “data at rest,” encrypting whatever information its clients (banks and payment processors, as well as retailers) consider sensitive. The hardware and installation for Ingrian’s service starts at about $40,000. (VeriSign and other companies also offer security services for data at rest, but these services are separate from the SSL encryption for web transactions.)

Alarms about identity theft have left many consumers wary of giving their credit card information to a web site regardless of security assurances. A service called Secure-eBill, introduced last May by MODASolutions Corp. of Philadelphia, offers an alternative. Visitors to the company’s client sites, including toolking.com and bigalsonline.com, may choose to click on a Secure-eBill icon, as opposed to a credit-card-payment icon. If they do, the transaction is handled via the buyer’s online bank account rather than by credit card.

“You can give [the e-commerce site] only your first and last name and your e-mail address,” says MODASolutions CEO Marwan Forzley, though a mailing address also is necessary if the product must be shipped. “An invoice is sent to you instantly by e-mail. You then [instruct your bank] to pay the invoice the same way you would pay your utility bill online.”

In other words, the buyer need not provide the online merchant with a credit card number or a bank account number. The buyer’s bank pays the merchant. “And consumers are more likely to trust their banks’ electronic security,” Forzley says. He adds that the same system also is available for phone transactions handled by merchants or call centers. Instead of giving the operator a credit card number, the buyer provides an e-mail address and gets an immediate electronic invoice. No sensitive information changes hands. Forzley says the fee is 1 percent to 1.5 percent per transaction, depending on volume.

Jack Gordon is editor at large for Electronic Retailer magazine. We would appreciate your feedback. To submit comments, please e-mail the magazine at [email protected].