The Wells Fargo example
Doing the right thing
Opinion Companies should protect consumer data better than Wells Fargo did, but in cleaning up its laptop data spill the bank blazed a trail worth following, says SecurityFocus columnist Mark Rasch.
In July of this year, a new law took effect in California, SB 1386, that requires all companies that do business in the state to "promptly" notify any individuals whose personally identifiable information was potentially compromised by a cyber attack. Last week, we saw the impact of that law when Wells Fargo notified thousands of its customers that their information may have been compromised after a laptop computer containing account data was stolen from a contractor. Wells Fargo also announced that it would pay $100,000 for the return of the laptop.
The case illustrates how the California law is both overbroad on the one hand, and far too limited on the other. While Wells Fargo failed to insist that their contractor adequately secure the laptop in question, and also failed to have the contractor encrypt all sensitive information stored on portable media (including laptops), Wells Fargo deserves kudos for responding appropriately and doing the right thing when the theft occurred.
It now appears that a 38-year-old Home Depot employee from Concord, California stole the laptop computer specifically for the purpose of using the data in it to perpetrate identity fraud. So Wells Fargo's actions in notifying potential victims, and offering to pay to monitor and, if necessary, fix, their credit, should be applauded. All the more so because it went far beyond what the California law required.
Many people assume that when customer account information is compromised, SB 1386 requires that the customer be notified. However, the law requires disclosure of breaches only when a particular type of account information is disclosed. The language of the statute specifically reads:
For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Unless the information compromised is both the person's name and account access information, SB 1386 does not explicitly require that the potential victim be notified.
This makes sense when you consider the context in which the law was passed. The primary impetus for the legislation was an electronic break-in at the Stephen P. Teale Data Center that, according the bill's analysis, "saw the personal financial information of hundreds of thousands of state workers fall into the hands of computer hackers," providing "a dramatic demonstration of an all too common event -- a breach in data base security which exposes victims to the further harm of identity theft."
Thus, it is clear that the purpose of the legislation was not to alert persons that their privacy may have been violated, but to alert them to particular types of privacy violations -- those that could expose them to the harm of identity theft. The notification is supposed to be timely so the consumer can take prophylactic action. This is one of the problems with the law, because in actuality, simply being notified of a compromise is usually not enough to prevent an identity theft. In this regard, SB 1386 does not really help consumers.
Where a compromised system or laptop contains either a person's name and address or their account information, but not in combination, a company could take the position that no disclosure is required.
However, that can be a dangerous position to take where there has been an actual compromise of personal data. The company suffering the compromise should do the right thing, regardless of the limited scope of the California law. Wells Fargo's handling of its laptop theft provides an exemplary model.
If your company detects a potential compromise of personal information, you should first investigate -- determine as best you can the extent of the loss and the type of data at risk. If information has actually been compromised, notify all of your customers, not just the California ones. Then, do what Wells Fargo did, and offer to pay to protect your customers' personal data -- with fraud reports and credit watch lists.
There is a certain amount of self-interest involved in doing the right thing here. First, you let your customers know that you take their privacy seriously -- and this helps with customer retention. In addition, doing the right thing may stave off legislation that would mandate that affected companies not only notify consumers, but pay for credit reports.
For example, the proposed Identity Theft Consumer Notification Act, H.R. 818, introduced by Congressman Kleczka, would amend the Gramm Leach Bliley act to require financial institutions "reimburse the consumer for any losses the consumer incurred as a result of the compromise of the security or confidentiality of such information, and any misuse of such information, including any fees for obtaining, investigating, and correcting a consumer report of such consumer at any consumer reporting agency." Similarly, the Identity Theft Notification and Credit Restoration Act, H.R. 3233, would require credit reporting agencies to put fraud alerts in a consumer's credit report if personal information had potentially been compromised. The Identity Theft Prevention Act, S.223, introduced by Senator Feinstein, would also require the use of such fraud alerts, but wouldn't go as far as H.R. 818.
Companies like Wells Fargo should remember that they are mere fiduciaries of other people's money, information and privacy, and do the right thing to protect it in the first place. And they should notify consumers promptly if the information is compromised, and help their customers fix any problems that result from the potential breach. It may not be the law, but it's a good idea.
Mark D. Rasch, J.D., is a former head of the Justice Department’s computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.