Is That Legal?
In comments on Chris’s post “Nations Bank, 100,000 credit cards, breach at unnamed(!) processor,” OptionsScalper asks:
It is amazing that the unnamed processor remains unnamed (or do I misunderstand?). I think the risk to customers at this bank has not been reduced, i.e. card replacement is ineffective. How does one even go about measuring whether the current action (or inaction) by the bank is acceptable to customers if the risk is unknown?
I’d start not with acceptability to customers, but acceptability to a variety of States’ Attorneys General. The choice of keeping consumers in the dark is no longer legal in 21 states, and is no longer acceptable anywhere. If I was an unnamed processor, I’d sure be asking myself “Am I gonna end up like Choicepoint or am I gonna end up Cardsystem Solutions, sold for parts?”
The rules on disclosure, both legal and social, have changed. Companies must come clean about their errors.
One possibility is that the data processing company is not in the US. Nothing in the linked articles says otherwise.
What do these laws require when the breach occurs outside the US?
@Josh:
It doesn’t matter whether the firm is in or out of the US. If the victims (speaking loosely) are in a state with a breach notice law, then notice must be sent.
However, in the case of processors, you have a breach of a 3rd party’s system. I suspect this is what allows the notices not to occur. I hasten to add that IANAL.
EC has had posts on this before — the general issue is banks being left in the lurch when Visa, MC, et. al. are perceived as being less than forthcoming about what they know concerning breaches (I’m thinking Sam’s Club here, and now this).
The issue has been discussed in the banking press (American Banker had an article about it, eg.). I do not understand how a banker who is starved for info, and who incurs possible additional costs by doing the conservative thing and replacing all cards doesn’t simply name the party whose systems were breached. Obviously, you run the press release by legal and you say nothing accusatory. I do not understand this reluctance to name names. I am starting to think that it is an open secret in some circles that certain processors are not secure, and that certain retailers are behind the curve. If I am right, when this breaks it will break hard.
Notice that the state with Eliot Spitzer as AG (and soon, perhaps, as Governor) is the one whose AG’s office *must* be informed of breaches involving its residents, and whose AG’s office is charged with enforcement.
The third party nature of the storage doesn’t change disclosure obligations. Encryption, however, might.