This Time, Security Breach Is Personal
An extremely apologetic Bank of America representative called me the other day with the news that I had fallen victim to one of the hazards and vicissitudes of post-modern American life: the theft of one’s Social Security number from the files of a major international corporation.
BofA reported that my number, along with my name, address, telephone number and online banking ID, were all stored in a bank laptop stolen from a car in the Bay Area five weeks ago. What scared me most about this event wasn’t that it happened at all, but that I almost shrugged it off -- as though I would have been more surprised to learn that my data were still uncompromised after years of being carelessly shot around the world by banks, credit card companies, and database marketers.
Another shock came when I scoured the news clips to learn what BofA had said publicly about the May 20 theft. It turned out that the bank had never disclosed the incident to the general public. It merely notified the 18,000 California customers whose privacy may have been threatened, as required by state law, and only after a month had elapsed.
Strangely, I’d been certain that I had already read about BofA’s laptop theft. But no -- I had confused several earlier incidents. UC Berkeley was the most recent institution to lose a laptop with the private data of thousands of individuals, following similar snafus at General Motors Acceptance Corp. and MCI Inc.
The BofA breach I’d read about involved employees who allegedly sold account numbers belonging to about 60,000 customers to collection agencies. (In a separate incident, the company lost backup tapes containing private information about 1.2 million federal workers.)
These examples of unconscionably slack security had become jumbled together in my mind, seasoned with such other episodes as the sale of personal data to a Nigerian fraud ring by ChoicePoint Inc., a database company, and the hacking of up to 40 million credit-card numbers assigned to customers of Visa USA, MasterCard International, American Express and Discover.
Consumers, obviously, have become powerless to protect themselves from the exposure of their personal data; no amount of individual vigilance can forestall the disclosure of one’s Social Security number when it’s entrusted to bank employees who can’t remember to keep their laptops properly secured.
Fearful of tougher government regulations, financial service companies talk bravely about instituting new safeguards and actually enforcing those already in place. But let’s not forget why they’ve been so cavalier until now.
The banks haven’t focused on what lax security costs consumers because they haven’t really regarded the data in their files as the consumers’ property. They think it’s their property. That’s why they’ve been fighting so hard against a California law that limits their ability to share customer data among their subsidiaries--once they’ve collected the information, they feel they have the right to use it as they wish. (They use it to bombard us with cross-marketing pitches for insurance policies, mutual funds and other products.)
If this information gets hacked, it’s not a corporate disaster; until recently, banks hadn’t shown any genuine sympathy for customers doomed by a hacking incident to a lifelong battle with identity thieves.
I don’t mean to pick on BofA, which did inform me of the laptop theft, after all. The bank considers the theft to be an ordinary instance of street crime, and notes that the compromised information hasn’t been used thus far. It says the laptop was password-protected, but acknowledges that the files were not encrypted.
Still, the bank’s response to the incident has been feeble. For one thing, it hasn’t adequately explained why, in this age of high-speed secure communications, any sensitive information needs to be downloaded to a piece of portable hardware. A BofA spokeswoman says policy requires such data to be stored in encrypted form, and says that wasn’t done in this case because of “human error.” But why doesn’t policy call for all such information to remain on the bank’s secure servers, from which it can be accessed only by authorized users?
Nor has the bank explained why it never disclosed the incident publicly. If Congress and state legislatures are going to enact tough privacy regulations, as they must, they need to know the scale of the problem. Most disclosures of data losses have resulted from California’s law requiring that customers be told or from statements by law enforcement officials. BofA’s inexcusable silence suggests that hundreds of financial institutions may have suffered similar breaches and kept mum.
Then there’s the bank’s response to me, the consumer. It has offered me a year of “complimentary credit monitoring,” along with a free credit report and a free 90-day fraud alert on my credit record.
But security experts say that the consequences of data theft can persist for years, not only one year. Under federal law, moreover, I’m already entitled to a free credit report and free fraud alerts on my record.
Plainly, the cost of providing such services for the victims of security breaches isn’t high enough to force banks to treat private data like the precious goods they are. Suppose Congress required that any data breach involving more than 100 files be publicly disclosed, and gave individuals legal standing to sue for damages any bank that mishandled their information, or imposed some penalty equally stringent? Then when BofA wrote me to say, as it did last week, that “the security of your information is a top priority at Bank of America,” I might believe it.
Golden State appears every Monday and Thursday. You can reach Michael Hiltzik at firstname.lastname@example.org.