U.S. PIRG Consumer Blog: Big Security Breach

Reporters and consumers are calling after the big (up to 40 million credit card and (don't forget!!) checking accounts) security breach reported by the third-party credit card processor Cardsystems Friday. When will the banks actually notify their customers if they are at risk? Probably not soon enough.

The big question we have is this: how come the banks aren't talking about how many checking accounts are at risk because the fraud occurred with ATM debit cards switched through the credit card networks? It isn't only credit cards, and it is worse when it's debit cards. I am shocked that no story I’ve seen on the Cardsystems breach mentions that many of the transactions were likely debit card transactions, where fraud could occur in checking accounts. Even though your bank promises to limit your debit card liability to zero or $50, by law you could lose all the money in your account, and meantime you are fighting to get it back. Other checks could bounce. Other hassles could occur.

The next question we get-- is this identity theft? Sort of, but not really. More precisely, it is merely credit card, or checking account, fraud. The bad guys got your account number, expiration date and your security code (from the back of the card or the stripe). They didn't get your Social Security Number, which is the key that unlocks your financial identity and allows them to open totally new accounts in your name. But fraud on this scale is bad enough. It can ruin your life, too.

The next question and the one we keep getting asked: Will this keep happening? Yes. Until Congress gives consumers adequate control over their personal information – something at least 85%-90% or more of consumers want in every poll – and the right to enforce those rights in court, it will keep happening. Adequate control isn't merely breach notification. To some extent, we already have that, since California law is largely being enforced nationwide. We also need the right to control access to our credit reports through a security freeze. We also need the right to control the sale or sharing of our information. And we need the right to go to court to enforce our rights.

But remember, breaches did not just start happening recently. We know more about them only because California’s security breach notification law took effect in 2004, and some companies, under pressure from other state Attorneys General, are complying with it nationally. Meanwhile, the state PIRGs are pushing our PIRG/CU Model Identity Theft Law to passage in numerous states.

My view by the way is that this is actually your bank’s fault, even if Cardsystems dropped the ball. When your bank -- through its network -- decides to do business with Cardsystems, it has a responsibility to hold its subcontractor accountable. Banks can outsource labor, but not their responsibilities under the Gramm-Leach-Bliley Safeguards rule.

Tips for consumers? (1) Review your checking and credit card statements regularly, including online if you have that capability, and certainly on the day you receive your statements, and dispute immediately, (2) never ever use your debit card on the Internet, only your credit card because it is better protected by law (here's our fact sheet on debit cards) and (3) if you get the breach notification letter from your bank, that’s when to worry about closing your account, not before.

Next, fight PHISHING, on the web or phone: if someone calls you OR emails you and asks for confidential account related information as part of a security check—-- hang up or don’t reply to the email. Either way, if you think it might be real, pull out your card, and call that number. Ask if there is a problem with your card. Think about it—if your bank, not some hacker in Russia, were calling you, they’d already know your information, wouldn’t they?

What does Congress need to do? First, upgrade the debit card laws - all plastic should have the same strong protections, but that upgrade is not even on Congressional radar. Second, Congress could adopt a security breach notification law nationwide. This has been proposed by, among others, Sen. Dianne Feinstein (CA) and separately, by Sens. Chuck Schumer (NY) and Bill Nelson (FL). Sen. Feinstein's latest bill, S 751, would preempt state breach laws and that preemption could pose risks to other state protections. It's a good bill on the merits of what else it does, except for this preemption, but that's enough reason it shouldn't become law. Congress should plain and simple get out of the business of eliminating state rights to protect their consumers better. (Expect to see a lot more posts on this blog about the laboratories of democracy and preserving stronger state laws.) S 768 (Schumer-Bill Nelson, would not eliminate stronger state laws. That bill also regulates data brokers such as Choicepoint, something else Congress should do. We have some material on the "unregulated parallel universe" of the data brokers at our Identity Theft pages. Congress should give consumers control of their information, as many states have done, through their enactment of the security freeze part of the PIRG/CU model Identity Theft law.

What else should consumers do? Be ready to fight back when id theft hits. Even if you remove your Social Security Number from circulation by taking it off your checks, off your drivers license, and out of your wallet, and even if you are careful, you may at some point become a victim. If you see any signs of identity theft, go immediately to the FTC for help. Their first tip is this—make a call to any of the big 3 credit bureaus and ask for a fraud alert. They will tell the other two for you. They will send you more info.

Finally—of course——what else should Congress do? Give consumers privacy rights, but don’t take away the right of the states to protect their consumers better. Federal law should be a floor, not a ceiling. Without leadership from the states, Congress never acts. For more information, see PIRG's (anti) preemption web page.
Ed