A Civil War Between the States and Federal Government Over One Law for All Breach Notifications

Posted on February 19th, 2014 by Dan Rampe

Data Breach

Unlike other recent Congressional fights, the dispute over a single federal law on how customers should be notified about breaches looks to be less rancorous and more civil. That’s because privacy concerns cut across party and ideological lines, often uniting staunch conservative Republicans with civil libertarian Democrats.

The renewed interest in a federal breach notification law covering all fifty states comes on the heels of the Target, Neiman Marcus and Michaels breaches. And while the same vitriol that was apparent in other Congressional battles may not be present, there is a lot to be considered, including how a federal law would affect state regulations that are already in force.

In her Reuters piece, tech/cyber policy reporter Alina Selyukh writes:

Although federal laws already regulate how specific industries, such as banks and hospitals, handle compromised data security, certain other kinds of companies, including retailers, face no such uniform standard.

Instead, 46 states and the District of Columbia have passed their own laws that tell companies when and how consumers have to be alerted to data breaches and what qualifies as a breach.

With that, negotiations over fitting state standards under an umbrella federal law face a tug of war between companies, consumer advocates and state authorities.

Large companies working across state lines argue that state laws present a patchwork of regulations and compliance poses a challenge. Companies often issue one nationwide notice to consumers with state-specific supplements at the end. “Certainly, one standard is easier to follow than 47,” John Mulligan, Target’s chief financial officer, told lawmakers…. The No. 3 U.S. retailer has stores in every U.S. state except Vermont.

The National Retail Federation in a January letter to Congress also restated its decade-old position in favor of a nationwide standard that would pre-empt state rules. “A preemptive federal breach notification law would allow retailers to focus their resources on complying with one single law and enable consumers to know their rights regardless of where they live.”.

Some state attorney generals worry above all that federal standards would dilute their power to pursue violators….

“There are 47 state standards, there’s no reason to add a 48th,” said [Representative Lee] Terry, the most prominent Republican leading a legislative effort at this point.

Consumer advocates say that the companies’ call for a single law masks the goal of having a weaker federal standard that would trump stricter laws on the books in states like California and Massachusetts.

“None of the federal proposals are as strong as the strongest state laws and that’s wrong,” said Edmund Mierzwinski, consumer program director at U.S. Public Interest Research Group. “I don’t think we need (a federal law) that’s weaker than California’s.”

California was the first state to adopt a data breach law in 2003. After a decade of fine-tuning, it requires a detailed disclosure to consumers “in the most expedient time possible and without unreasonable delay” when personal information, including emails with passwords, is “reasonably believed” to have been stolen.

Though many state requirements are broadly similar, some states, such as Montana and Ohio, require notification only if a breach poses or is believed to pose harm or material risk such as identity theft.

Many states also use more limited definitions of what personal information is included. A common definition includes name combined with the Social Security number, driver’s license number or payment card number together with information needed to access financial records.

Alabama, Kentucky, New Mexico and South Dakota do not have their own data breach notification laws.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Recent Retail Data Breaches Could Threaten Home Buyers’ Credit

Posted on February 5th, 2014 by Dan Rampe

Home Sale

Could your dream home turn into nightmare because you bought underwear which turned out to be the wrong size and had to be returned? That’s what some experts are saying. No, not because the underwear didn’t fit and you could stand to lose some weight. It was because you bought it with a credit card.

Mortgage credit experts warn that the breaches that occurred at Target, Neiman Marcus et al. could wreak havoc with some people’s credit, lowering credit scores and threatening loan applications. And anyone who’s bought property that’s drawn a lot of interested buyers knows that the seller is not going to wait while a buyer’s credit history is sorted out.

Writing in the Washington Post, Kenneth R. Harney details the trials and tribulations likely to arise in real estate and housing as a result of hacks on major retailers.

The Target breach alone could touch as many as 70 million credit and debit card customers, according to the company. Neiman Marcus says that data on 1.1 million of its customers may be vulnerable to fraud. Data security researchers report that at least six other merchants have experienced data breaches from point-of-sale malware similar to what was used in the Target thefts.

Both Target and Neiman Marcus have sought to reach out to customers and have offered free credit-monitoring services. But credit experts say it’s likely that given the sheer size of the data thefts, large numbers of people either have not taken advantage of these offers or have, for varying reasons, not been aware that their data may have been compromised.

So what are the potential blowbacks on home sales and mortgage applications?

Start with the basics: Identity theft, if not corrected quickly, can make a mess of anyone’s credit bureau files. Though victims may not be liable for the unauthorized debts racked up, their credit reports — and, in turn, their credit scores — can be damaged for weeks or months.

Listen to Terry Clemans, executive director of the National Consumer Reporting Association, the primary trade group that represents independent credit-reporting companies serving the mortgage industry.

Clemans says that mass identity heists such as those at Target and Neiman Marcus have the potential to create “havoc on credit files for as long as it takes for the consumer to document [that] the accounts are due to identity theft and get them removed from the file. The impact on credit scores, although short-term, is devastating because they are current defaults and [trigger] a big hit to the score. With the sizes of the breaches, this could be painful for a long time.”

Sarah Davies, senior vice president for VantageScore Solutions, one of the two major providers of consumer score models used by banks and other creditors, confirmed that unauthorized debts on credit reports “can have quite a big impact” and could interfere with certain transactions you want to undertake, such as buying a home or applying for a mortgage.

Among the scenarios that could begin surfacing as the stolen information from retailers is sold and used in the coming months:

  • Home sales could be knocked off track by the sudden appearance of new debts on buyers’ credit reports. Many lenders monitor national credit bureau files electronically from the date of loan approval to moments before closing. Even if you explain that you were a victim of identity theft, your financing could be put on ice until you and the bureaus clean up your reports. That could cause you to miss contractual deadlines with the home seller and, worst case, cause you to lose the house.
  • Undetected run-ups of balances on credit cards could seriously affect “utilization ratios” — how much of the available credit maximum a consumer has drawn down — and cause declines in scores. High rates of utilization, or “maxing out,” are penalized by the major scoring models. Lower credit scores, in turn, may disqualify you for a mortgage, at least until you are able to document to the credit bureaus’ satisfaction that the new debts were the result of identity theft.
  • Undetected use of your information to create one or more new credit cards could be especially damaging and time-consuming to fix.

Clemans notes that although merchants and the bureaus may be eager to help resolve identity theft situations, they are also on guard against attempts by consumers to blame everything negative in their files on identity theft. They’ll want proof and documentation before expunging the bad information.

In the mortgage context, there’s another complication: Although independent credit reporting agencies, which resell and reformat the national credit bureaus’ data for lenders, can often help advise loan officers on ways to improve their applicants’ scores — a service known as “rapid rescoring” — they can’t help in identity theft repairs. That needs to be done by the consumers themselves, by contacting the bureaus, placing fraud alerts or freezes on their accounts, then working to clean out the bad stuff, line by line.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Neiman Marcus Targeted by Same Hackers Who Targeted Target? Upscale Retailer Breached During Same Approximate Time Frame.

Posted on January 14th, 2014 by Dan Rampe

Neiman Marcus

Neiman Marcus has a reputation for expensive merchandise – especially for holiday shoppers looking for a unique gift. Included in last year’s offerings were a trip that starts at De Beers where the gifted claims and names his/her (we want to be politically correct here) 25-carat diamond. Then it’s on to Namibia to learn about ethical diamond sourcing before ending up in the USA where the person receiving the gift designs her/his ring: $1,850,000… an Aston Martin Vanquish Volante with a naturally aspirated 6.0-liter, V-12 engine producing 565 horsepower with 45 pound-feet of torque and reaches 180-plus mph: $344,500…an outdoor entertainment system with a television that stores itself underground and with the click of a button, emerges into a 201” C SEED screen with DirecTV and a library: $1,500,000-2,640,000.

Though it can be pricey, one thing Neiman Marcus hadn’t intended offering customers, but did anyway, was the opportunity to have their personal information compromised by cybercriminals.

Was the Neiman Marcus breach related to the Target attack? No one knows for sure or at least they’re not saying. But Brian Krebs on krebsonsecurity.com points out that “Target has so far not publicly released information that would help other retailers determine whether their systems may have been hit by the same attackers.”

Calling on financial industry sources, Krebs stated that, “an increasing number of fraudulent credit and debit card charges…were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase among the compromised cards was Neiman Marcus.”

The company issued a statement saying that, “Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

“We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.