• Technology
  • CFO Magazine

Whose Life Is It, Anyway?

Companies, Congress, and customers slug it out over some very personal information.

Like most virtual retailers, Guess.com—the online outfit of clothier Guess Inc.—proudly displays its privacy policy right on the Website. Six months ago, the pledge read: “This site has security measures in place to protect the loss, misuse, and alteration of the information under our control.” Reassuring stuff. There’s just one problem: the promise was evidently more lip service than customer service. In June, the Federal Trade Commission (FTC) filed a complaint against the E-tailer, claiming that it didn’t take much guessing for hackers to access Guess.com’s customer database. Apparently, one shopper was able to view credit-card numbers simply by entering a string of SQL characters into the site’s address bar.

Management at parent Guess eventually settled the charges, agreeing to follow stringent security measures for the next two decades. But the case is not exactly a freakish occurrence. These days, customer databases—and with them, customer Social Security numbers (SSNs), birth dates, and account balances—are being hacked on a fairly regular basis.

While some of the intrusions are harmless, many are not. In February, a cyberthief reportedly broke into a computer system at credit processor DPI Merchant Services. The database is believed to have contained some 10 million credit-card numbers.

The breach itself did not tick off lawmakers and consumer groups. What did? Some of the credit-card issuers that use the facility apparently failed to notify consumers about the incident.

Such inaction is not unusual. According to the FTC, 9 million people were victims of identity theft last year. Of that group, only 26 percent said they were notified of suspicious account activity by a card issuer or a bank.

Statistics like that—and a flood of voter complaints about statistics like that—have spurred some lawmakers to action. In July, California passed a watershed piece of legislation (SB1386) that requires U.S. companies to quickly inform Golden State residents when customer databases are compromised.

Consumer advocates hailed the law, arguing that businesses have long treated customers’ personal data as their own private property. But some business leaders worry that SB1386 is the opening salvo in a battle that could cripple CRM initiatives and heap huge burdens on responsible corporate citizens.

Indeed, the Federal Deposit Insurance Corp. is considering a new regulation that would mimic SB1386. In September, Sen. Dianne Feinstein (D-Calif.) introduced a bill in Congress that mirrors the California statute. Feinstein also cosponsored an amendment to the Fair Credit Reporting Act (FCRA) that would limit customer data sharing among financial-services companies.

Both pieces of legislation were voted down in November, while certain business-friendly provisions of the FCRA were reauthorized. But even with that vote, the regulatory tide may be turning in favor of consumers. As Deborah Birnbach, an attorney at Boston-based Testa, Hurwitz & Thibeault LLP, notes: “The California law is an absolute shifting of risk [away from customers] and onto businesses.” Adds Birnbach, who advises corporations on compliance issues: “Clients I’ve spoken to have expressed panic about this.”

Discuss

Your email address will not be published. Required fields are marked *