The Washington Post reports on discussion about data protection legislation, including data breaches, in the U.S. Senate:
As federal officials grapple with ways to better protect the privacy and security of Internet users, participants at a Senate Commerce Committee hearing Wednesday appeared to be in broad agreement over the need for data breach laws .
But there was less agreement over online privacy laws, with lawmakers, regulators and companies debating “do not track” proposals and general privacy laws that consumers say they want but companies fear will hurt their bottom lines. […]
[Ranking member of the subcommittee for consumer protection Pat Toomey’s], support for data breach bills, introduced in the Senate by John Rockefeller (D-W.Va.) and a similar bill in the House, comes amid nearly daily hacking attacks of corporate and government databases.
The bills call for clear rules on how soon companies should inform users when their information has been breached. […]
FTC member Julie Brill said at the hearing that the agency doesn’t have an official position on the need for privacy laws. But she said “do not track” requirements are needed — including on mobile devices. She said browser companies have come up with technologies that allow users to ask companies to stop following their activity on the Internet.
But few companies honor those requests and there is little the FTC can do to punish those firms who continue to collect information about users if they haven’t promised to honor “do not track” requests.
The Boston Herald reports on the myriad data breaches affecting Massachusetts residents:
Reports of computer data breaches in Massachusetts are as common as ants at a picnic. Nearly every day a company notifies the state that it lost sensitive personal data, often through a mishap by an employee or, worse, a malicious attack by a hacker.
“We get about 50 a month,” said Barbara Anthony, head of the state’s Office of Consumer Affairs and Business Regulation. “Our reporting law is very stringent. Even if it’s one credit card that’s been lost, the company has to report it to us.”
Minor mistakes aside, consumer watchdogs and computer security experts have been adding up a frightening number of data breaches that are on the scale of the massive hack of Massachusetts retailer TJX that spurred the passage of the state’s identity-theft prevention law in October 2007. […]
Massachusetts has received about 2,200 notification letters from companies reporting lost or stolen personal data in the nearly four years since the law was passed — affecting a whopping 5 million Bay State residents, with some amount of overlap in the identities, according to Anthony’s agency. The companies also must notify affected consumers. […]
The Privacy Rights Clearinghouse counted 283 breaches made public nationwide as of late last week, or about halfway through the year. The nonprofit group counted 597 breaches in 2010. But true numbers of data breaches may never be known because of varying state rules and no reporting requirement at the federal level.
Time discusses the threat to consumers’ credit card data and chance of identity theft:
Hackers are getting smarter when it comes to stealing your personal account information. The recent data breach at Citi — which turned out to affect some 80 percent more customers than initially reported and led to $2.7 million in unauthorized charges to cardholders’ accounts — is just one example.
Even worse, evidence suggests that while cyber-thieves are getting bolder and more technologically savvy, major card-issuing banks are failing to keep up. That sobering conclusion was reached in a new study conducted by Javelin Strategy & Research. Javelin looked at the online security practices of the 23 biggest credit card issuers and graded them on a 100-point scale. The average result was only 59. […]
[Phil Blank, head security and risk analyst at Javelin and author of the study,] says that while banks have some fraud prevention measures in place, they’re simply not keeping up with the growing sophistication and innovation employed by thieves. He says Javelin has “very strong stats” showing that for a full year after your personal information is compromised, you’re more likely to be a victim of fraud. […]
The Javelin study shows that issuers also fall short of the mark when it comes to fraud detection. Although Blank says detection criteria in this year’s study changed very little, banks still mustered only an average 17 out of 35 possible points. Luckily, issuing banks do a better job at resolution — that is, eliminating fraudulent charges from your account and issuing you a new card if the number’s been compromised. Unfortunately, just being reimbursed if somebody else uses your credit card account won’t do anything to protect you from any future attempts at identity fraud if a cyber-thief got their hands on your personal information.