Tuesday, June 21, 2005

CardSystems Solutions’ Security Breach Underscores How Lax
Data Security Puts Consumers At Risk For Fraud

CardSystems Solutions’ announcement that more than 40 million credit cards of all brands potentially have been exposed to fraud is a startling reminder of how vulnerable consumers are to having their sensitive information stolen by crooks, according to Consumers Union. While it appears that this security breach did not result in the exposure of information like Social Security numbers, consumers affected by this incident are at heightened risk for credit card fraud.

“Once again, weak security practices by businesses that hold sensitive consumer data have put millions of Americans at risk,” said Gail Hillebrand, Director of Consumers Union’s Financial Privacy Now campaign. “It’s becoming increasingly clear that we can’t depend on these businesses to keep this sensitive data out of the hands of thieves.”

Consumers who discover unauthorized charges on their credit card accounts should report them to their card issuer to limit their liability. Federal law limits consumer liability in credit card fraud cases to $50 per card. If this incident involved any debit cards, then consumers will face a tougher time cleaning up the mess since the unauthorized charges will remove funds directly from the consumers’ checking accounts. Federal law caps consumer liability for unauthorized debit card charges, but the amount can exceed $50 if the consumer does not report the charge promptly.

New stories about this massive security breach referred widely to card issuer “zero liability” policies. However, the posted “zero liability” policies of VISA and MasterCard both contain significant loopholes. For example, VISA’s policy does not cover consumers if the card was processed outside the VISA network, and MasterCard’s policy does not apply to the third unauthorized use in one year.

“Now is the time to eliminate the exceptions from the VISA and MasterCard ‘zero liability’ policies so zero really means zero,” said Hillebrand.

The regulatory guideline issued earlier this year by the federal banking regulator would allow the banks that issued these cards to decide whether or not to tell cardholders about the breach. Under the bank regulators weak guideline, banks don’t have to tell consumers about a security breach unless the bank decides that misuse of the data has already occurred or is reasonably likely. If the bank that issued your credit card doesn’t think your information is likely to be misused, they don’t have to tell you about the security breach, except in California and starting soon in a few other states.

“This incident should serve as a wake-up call for lawmakers to hold companies accountable for ensuring that strict data security practices are in place and followed,” said Hillebrand. “State and federal lawmakers also must give consumers stronger tools to protect themselves, such as the right to put a security freeze on credit files to prevent identity thieves from opening new accounts in their names.”

For more information on the identity theft safeguards advocated by Consumers Union, see:

Gail Hillebrand: 415-431-6747, ext 136
Susanna Montezemolo: 202-462-6262