Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    E-Theft: Whos Liable?

    By
    eWEEK EDITORS
    -
    August 13, 2001
    Share
    Facebook
    Twitter
    Linkedin

      Watch out, online merchants: here comes the law.

      Legal challenges and legislation are poised to patch a key chink in the armor protecting people from identity theft: There are no legal consequences for companies that fail to protect personal information, such as credit card numbers.

      Hackers and identity thieves can be prosecuted — if theyre caught. But while credit card companies pay up when swiped numbers are used, and victims of fraud suffer financially and emotionally, there is not yet a law covering how companies guard private customer data.

      Meanwhile, private lawsuits brought against companies with security lapses will soon constitute a high-profile “new breed” of legal case, said an international legal expert on identity theft, and interest in federal and state laws is spreading.

      “Any commercial entity that puts you in jeopardy because of their lack of keeping up with technology and because of their negligence — I think they should be liable,” said Mari Frank, a California attorney and author who testifies before state and federal lawmakers about identity theft. She lamented the legal vacuum surrounding data security, but predicted that in the absence of laws, people stung by security lapses will increasingly turn to private lawsuits.

      The issue of data protection grows more urgent with each electronic break-in. One case this month involved conference registration service site RegWeb.com — run by Cardinal Communications — which had a hole that revealed more than 300 customers credit card numbers.

      States including California and Wisconsin are starting to address identity theft. Merchant liability in hacking cases is among the topics under discussion by lawmakers, said Allan Trosclair, executive director of the Coalition for the Prevention of Economic Crime, which represents banks, businesses and government agencies. And as states craft a hodgepodge of laws, a standard federal law “will be required to eventually protect consumers against inappropriate compromise of their information,” he said.

      Identity theft has become a “hot topic,” he said, because of the booming popularity of online credit card data theft and other forms of identity theft. Trosclairs colleague monitors chat rooms daily, looking for stolen credit card numbers and reporting them to credit card companies. Hes seeing roughly 3,000 stolen credit card numbers traded in chat rooms each month, Trosclair said.

      Last week, federal regulators issued a proposed rule setting standards for how financial institutions protect private consumer information. The “Safeguards Rule,” proposed under the 1999 Gramm-Leach-Bliley Act that forced financial institutions to deal more systematically with consumer privacy issues, will inject a strong dose of regulatory oversight into information security practices within financial institutions.

      The definition of “financial institution” in the regulation is broad and includes, for example, retailers that issue in-house credit cards to shoppers. But it still leaves untouched the vast majority of institutions — from online retailers to newspaper Web sites to Internet services like Microsofts Passport — that regularly collect and store credit card information.

      Meanwhile, the three major credit card companies — American Express, MasterCard International and Visa International Service Association — all have programs aimed at giving merchants more online security muscle.

      This year, MasterCard unveiled its Site Data Protection Service, a set of security products and measures offered to its merchants. MasterCard also has rules for merchants to follow when processing and storing credit card information, said Stephen W. Orfei, an executive in the e-business division of MasterCard.

      “There are penalties and there are consequences if you dont process properly. You can lose your license to process,” among other things, he said. “Unfortunately, the incidents of hacking are on the rise. Our membership was looking for us to come up with a viable solution, and thats what we are delivering to the market right now.”

      Earlier this year, Visa launched its Cardholder Information Security Program, which requires vendors that collect and store credit card information remotely to meet a set of security standards, from installing firewalls to encrypting stored data.

      And late last year, American Express started using VeriSigns Payflow, which gives merchants the option to let American Express process and store all American Express charges.

      In the case this month, RegWeb was storing the numbers for 877Chicago.com, a site thats run for the Chicago Convention and Tourism Bureau by a third party called McCord Travel Management. A link to a hacker Web site listing the stolen credit card numbers was e-mailed to Interactive Week in early August.

      Cardinal CEO Rodman Marymor said the company switched Web hosters and a file containing credit card numbers got left behind on the old server. When he learned of the security hole, Marymor said he immediately notified the credit card companies and later told the FBI. He said the credit card companies told him not to notify cardholders directly, but to let them notify banks.

      Cardinal is bringing in an outside security company to audit RegWebs operations, Marymor added.

      Notification should always occur, said Ray Bruce, president of the Consumer Protection Association of America. “If companies were doing what was right, they would notify the businesses and consumers that theyre doing business with that theres a potential that their privacy has been violated.”

      Cases like RegWebs also illustrate the need for “laws that hold [companies] accountable for exposing us to identity theft,” attorney Frank said.

      Merchant liability in such cases is “murky,” said Alan Davidson, associate director of the Center for Democracy and Technology. “There is a big question mark out there: How does negligence apply in the computer security contexts? And we dont have an answer to that question.”

      eWEEK EDITORS
      eWeek editors publish top thought leaders and leading experts in emerging technology across a wide variety of Enterprise B2B sectors. Our focus is providing actionable information for today’s technology decision makers.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×