E-Theft: Whos Liable?

Watch out, online merchants: here comes the law.

Watch out, online merchants: here comes the law.

Legal challenges and legislation are poised to patch a key chink in the armor protecting people from identity theft: There are no legal consequences for companies that fail to protect personal information, such as credit card numbers.

Hackers and identity thieves can be prosecuted — if theyre caught. But while credit card companies pay up when swiped numbers are used, and victims of fraud suffer financially and emotionally, there is not yet a law covering how companies guard private customer data.

Meanwhile, private lawsuits brought against companies with security lapses will soon constitute a high-profile "new breed" of legal case, said an international legal expert on identity theft, and interest in federal and state laws is spreading.

"Any commercial entity that puts you in jeopardy because of their lack of keeping up with technology and because of their negligence — I think they should be liable," said Mari Frank, a California attorney and author who testifies before state and federal lawmakers about identity theft. She lamented the legal vacuum surrounding data security, but predicted that in the absence of laws, people stung by security lapses will increasingly turn to private lawsuits.

The issue of data protection grows more urgent with each electronic break-in. One case this month involved conference registration service site RegWeb.com — run by Cardinal Communications — which had a hole that revealed more than 300 customers credit card numbers.

States including California and Wisconsin are starting to address identity theft. Merchant liability in hacking cases is among the topics under discussion by lawmakers, said Allan Trosclair, executive director of the Coalition for the Prevention of Economic Crime, which represents banks, businesses and government agencies. And as states craft a hodgepodge of laws, a standard federal law "will be required to eventually protect consumers against inappropriate compromise of their information," he said.

Identity theft has become a "hot topic," he said, because of the booming popularity of online credit card data theft and other forms of identity theft. Trosclairs colleague monitors chat rooms daily, looking for stolen credit card numbers and reporting them to credit card companies. Hes seeing roughly 3,000 stolen credit card numbers traded in chat rooms each month, Trosclair said.

Last week, federal regulators issued a proposed rule setting standards for how financial institutions protect private consumer information. The "Safeguards Rule," proposed under the 1999 Gramm-Leach-Bliley Act that forced financial institutions to deal more systematically with consumer privacy issues, will inject a strong dose of regulatory oversight into information security practices within financial institutions.

The definition of "financial institution" in the regulation is broad and includes, for example, retailers that issue in-house credit cards to shoppers. But it still leaves untouched the vast majority of institutions — from online retailers to newspaper Web sites to Internet services like Microsofts Passport — that regularly collect and store credit card information.

Meanwhile, the three major credit card companies — American Express, MasterCard International and Visa International Service Association — all have programs aimed at giving merchants more online security muscle.

This year, MasterCard unveiled its Site Data Protection Service, a set of security products and measures offered to its merchants. MasterCard also has rules for merchants to follow when processing and storing credit card information, said Stephen W. Orfei, an executive in the e-business division of MasterCard.

"There are penalties and there are consequences if you dont process properly. You can lose your license to process," among other things, he said. "Unfortunately, the incidents of hacking are on the rise. Our membership was looking for us to come up with a viable solution, and thats what we are delivering to the market right now."

Earlier this year, Visa launched its Cardholder Information Security Program, which requires vendors that collect and store credit card information remotely to meet a set of security standards, from installing firewalls to encrypting stored data.

And late last year, American Express started using VeriSigns Payflow, which gives merchants the option to let American Express process and store all American Express charges.

In the case this month, RegWeb was storing the numbers for 877Chicago.com, a site thats run for the Chicago Convention and Tourism Bureau by a third party called McCord Travel Management. A link to a hacker Web site listing the stolen credit card numbers was e-mailed to Interactive Week in early August.

Cardinal CEO Rodman Marymor said the company switched Web hosters and a file containing credit card numbers got left behind on the old server. When he learned of the security hole, Marymor said he immediately notified the credit card companies and later told the FBI. He said the credit card companies told him not to notify cardholders directly, but to let them notify banks.

Cardinal is bringing in an outside security company to audit RegWebs operations, Marymor added.

Notification should always occur, said Ray Bruce, president of the Consumer Protection Association of America. "If companies were doing what was right, they would notify the businesses and consumers that theyre doing business with that theres a potential that their privacy has been violated."

Cases like RegWebs also illustrate the need for "laws that hold [companies] accountable for exposing us to identity theft," attorney Frank said.

Merchant liability in such cases is "murky," said Alan Davidson, associate director of the Center for Democracy and Technology. "There is a big question mark out there: How does negligence apply in the computer security contexts? And we dont have an answer to that question."