Victims, retailers collide on ID theft bill
sacramento -- Stanley Greene of Orange was at his home computer, making a mortgage payment, when he noticed an unfamiliar $300 debit from the couple’s checking account.
Merrilee, his wife, said she knew nothing about the purchase.
“While we were talking, it happened again,” she recalled. “Another debit came through on the computer and another and another one. . . . Our checking account was compromised. They drained all of our funds . . . in a matter of days.”
The Greenes soon realized that they’d been the victims of identification theft and credit card fraud. On Monday, they joined others whose lives were turned upside down by computer hackers to lobby for a bill that would force retailers and financial institutions to adopt national standards to protect shoppers’ financial data they disclose.
Powerful business lobbies oppose the proposal as unneeded and say that passage could unleash a wave of expensive lawsuits against stores.
The bill, recently approved by lawmakers on bipartisan votes, now goes to Gov. Arnold Schwarzenegger for his signature or veto. The bill would require banks, credit unions and credit card companies to tell people the name of the retailer where the hackers grabbed their confidential information, including Social Security numbers, account numbers and personal identification numbers, or PINs.
“Going to the mall simply should not be identity theft Russian roulette,” said the bill’s author, Assemblyman Dave Jones (D-Sacramento). “What’s happening is that retailers are keeping the credit and debit card information, and it is available to hackers and other identity thieves, who perpetrate fraud.”
He said that only about 40% of retailers and other organizations that accept credit card payments were complying with security guidelines developed by major credit card companies.
Jones pointed to a massive security breach in the computers of TJX Cos., which operates the T.J. Maxx and Marshalls discount chains, as an example of lax security. Hackers late last year stole information on about 46 million credit and debit card accounts. The company recently settled a lawsuit related to the case for more than $100 million.
Jones’ AB 779 also would allow banks and credit card companies to sue allegedly negligent retailers for the cost of closing accounts and issuing new cards. Schwarzenegger, who is being lobbied heavily on the identity theft issue, has not taken a position and has until Oct. 14 to make up his mind.
The bill would “make retail outlets ultimately responsible for securing their own data,” said Lt. Bob Lozito of the Sacramento County Sheriff’s Department High-Tech Task Force. Law enforcement, he says, generally lacks the manpower or the expertise to police hacking and other computer crimes.
Credit unions support the bill, but most large business trade groups are asking the governor for a veto.
Jeanne Cain, a lobbyist with the California Chamber of Commerce, said the bill would make retailers potentially liable in lawsuits even if they fully complied with its security conditions.
“Nothing in the bill prevents the hacker from accessing the data even if you follow all the requirements,” she said.
Security standards are best left to contractual agreements between banks and credit card issuers and participating stores, said Bill Dombrowski, president of the California Retailers Assn. Tough new voluntary standards are being implemented this year and should become nearly universally accepted by the end of the year, he said.
“On the surface, the bill sounds great, but when you get into the implementation there are problems,” Dombrowski said. “You can’t take a 100-page document with all sorts of conditions and standards and easily put it into statute.”
But Greene says passage of the bill would give him the confidence to use credit cards again. He says he lost faith in the security of the financial system after his credit union “could not assure me that this would not happen again.”
--
