Congress considers law to fight problem as companies report more breaches
With more reports of large-scale data-security breaches last week, the identity-theft problem seemed to be spinning out of control. That's prompting Congress to consider a tougher disclosure law and a government-academic cooperative to work on new technologies.
Security-breach disclosures by MasterCard International Inc. and Reed Elsevier Group plc's LexisNexis subsidiary last week, collectively affecting nearly 500,000 consumers, indicate that the extent of the problem may be greater than previously believed. "This may be just the tip of the iceberg," says Sophie Louvel, an analyst at research firm Financial Insights.
HSBC North America is notifying 180,000 customers that their General Motors-branded MasterCard account numbers may have been stolen while making transactions at a U.S. retailer. MasterCard learned of the incident in January and has been working with the retailer--Polo Ralph Lauren--and law enforcement to investigate.
The revelation came on the heels of disclosures last week about the extent of security breaches at LexisNexis. An investigation of the company's Seisint unit showed that as many as 310,000 customers might have had their Social Security and driver's license numbers stolen in fraud incidents going back to January 2003, LexisNexis said. Just last month, the company estimated only about 32,000 customers had their personal data compromised.
LexisNexis' Sanford told a Senate committee that the breach at his company was worse than previously expected.
Photo by Win McNamee/Getty Images
The Senate Judiciary Committee last week took up consideration of a National ID Theft Notification bill, which would require companies to notify consumers when personal-identity data has been compromised. Based on California's Security Breach Information Act, the legislation lets consumers put a seven-year fraud alert on their credit reports.
At a Senate hearing last week, Kurt Sanford, LexisNexis' president and chief executive for U.S. corporate and federal markets, and Douglas Curling, ChoicePoint Inc.'s president and chief operating officer, admitted they didn't tell consumers about security breaches before 2003, when the California law was enacted.
On the technology front, the National Science Foundation last week launched the Team for Research in Ubiquitous Secure Technology, or Trust, an effort involving security specialists from colleges and IT vendors to develop IT that's more secure against cyberattacks. Trust is expected to receive nearly $19 million in NSF funding over five years. Participants include the University of California at Berkeley and Stanford University. Hewlett-Packard, IBM, Microsoft, Sun Microsystems, and Symantec also are affiliated with the project.
On the business front, the Financial Services Roundtable, a group of financial institutions, has made permanent its Identity Theft Assistance Center, which helps ID-theft victims for free. The center has operated on a pilot basis since August and has helped 700 people restore their identities. The center is funded by banks and operated by Intersections Inc., a provider of bank-branded ID-theft-protection services.
The center's rapid-response system shortens the time thieves can take advantage of stolen data and collects evidence to use against them in court. It takes, on average, two to three weeks to restore a victim's credit history once the center is notified. The center wants to reduce that to two to three days through process improvements.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.