We have a right to information on data security breaches
Sam Greyson was surprised to receive a new credit card the other day from Bank of America. He was also surprised to learn that the bank had changed his account number because of a security breach involving another business.
But the thing that surprised Greyson most was that when he called BofA to find out more about the breach, he was essentially told to pound sand.
“They wouldn’t tell us anything,” he said. “They said we could read about it in the newspaper.”
That would change if legislation now making its way through Sacramento becomes law. The bill from state Sen. Joe Simitian (D-Palo Alto) would tighten California’s existing breach-notification rules to require more detailed disclosure of privacy violations.
The legislation, SB 24, passed the Senate in April and is now under consideration in the Assembly.
It’s hard to see why anyone would oppose the bill. More than 530 million consumer accounts have been compromised in 2,520 known data breaches since 2005, according to the Privacy Rights Clearinghouse, an advocacy group.
The latest breach came to light Thursday when Citigroup said the names, account numbers and email addresses of as many as 200,000 bank customers were accessed by hackers who broke into Citi’s online account site.
The Citi breach was discovered by the company in early May. Citi has declined to say why it took weeks to notify customers of the incident.
“There’s nothing more disconcerting than getting a notice that says only, ‘Hi, we had a breach and you were affected,’” Simitian told me. “Ignorance is not bliss. What you don’t know can hurt you.”
In BofA’s case, the bank gave customers a toll-free number to call for more information, but it wasn’t exactly a pathway to enlightenment.
A recorded voice would have us believe that not even the bank knows what happened in the latest security breach. “Card issuers are not provided specifics on where or when your account was compromised,” the recording says.
Greyson, 56, said he was told the same by a BofA service rep. But when he managed to get a supervisor on the line, he said the bank acknowledged that “at least 100,000” accounts had been affected.
Betty Riess, a BofA spokeswoman, declined to confirm this when I called seeking more info. She said only that “if we think a customer’s account may be compromised, we will take steps to protect customers.”
That’s not good enough. As Greyson told me, he’d like to know which company was robbed or hacked so he can take his business elsewhere in the future.
Simitian’s bill wouldn’t give us that much sunlight. But it would require that customers be informed about the nature of the breach and what kind of information was compromised, as well as when the breach occurred and how many other people might have been affected.
“The bill isn’t as tight as I would like it,” Simitian said. “I got a lot of pushback from industry.”
As I’ve said before, the keepers of our personal data have a great responsibility. If they’re unable to keep the data safe, we have a right to know — and these businesses should bear the full weight of public accountability.
Simitian’s bill is a further step in the right direction. It should be approved by the Assembly and signed into law by the governor.
Then we should go the next step and ensure that hacked companies share consumers’ pain. I’m thinking their identities should have to be publicly revealed and they should pay a fine of, say, $500 for every customer account involved.
Maybe that would result in better security practices.
Soda hide-and-seek
David Keleman of southern Orange County contacted me with an interesting observation: Why do an increasing number of restaurant chains seem to be hiding the price of soft drinks?
“If you look, they’re not on the menu,” Keleman said. “It’s like they don’t want you to know how much the drinks will cost until after you order them.”
I checked around, and he’s right — a number of chains omit soft drink prices from their menus. You won’t see them at Chili’s, for example, or Applebee’s, El Torito or T.G.I. Friday’s.
Managers at these establishments told me the individual restaurants aren’t to blame and the decision to keep soda drinkers in the dark was made at the corporate level.
No one at the head offices of Applebee’s or El Torito returned my calls for comment. But spokeswomen for Chili’s and T.G.I. Friday’s said soda prices aren’t included on menus because they might vary from place to place.
This explanation didn’t impress Steve Blackledge, policy advisor for the California Public Interest Research Group, a consumer advocacy organization.
“Soft drinks aren’t like the catch of the day,” he said. “They don’t change that much.”
All prices for all goods should be clearly marked before a purchase. Ordering a meal shouldn’t be like playing hide-and-seek.
David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5. Send your tips or feedback to david.lazarus@latimes.com.
