A bipartisan Senate bill introduced this week would require notification of consumers in the event of a data breach as well as increase penalties and include jail time for company executives who fail to provide notification.
The Personal Data Privacy and Security Act of 2005, introduced June 29 by Judiciary Committee chairman Arlen Specter, R-PA, and Sen. Patrick Leahy, D-VT, also contains a provision that would grant consumers access to and the opportunity to correct public records, as well as a provision to limit the buying, selling and displaying of Social Security numbers.
This action followed the June 17 reports that CardSystems Solutions Inc., which claims to process $15 billion in Visa, MasterCard, American Express and Discover transactions annually, announced it had discovered a possible security breach May 22 and had contacted the FBI and the Visa and MasterCard card associations.
“CardSystems immediately began a remediation process to ensure all systems were secure,” the Tucson, AZ, company said in a statement. “Additionally, CardSystems immediately engaged an independent third party to validate systems security.”
Unauthorized storage of credit and debit card transaction data allowed the security breach at the third-party credit and debit card processing firm, potentially exposing 40 million cardholders to risk, according to The New York Times and Associated Press reports.
Also on June 17, MasterCard International revealed that the 40 million cards at possible risk included 13.9 million MasterCard-branded cards. According to MasterCard, its security team detected the breach and has directed CardSystems to come into compliance with the firm's security requirements.
CardSystems chief executive John M. Perry told the Times and AP that about 200,000 records across all card issuers were confirmed as stolen and that the data were being stored by his company without authorization and in violation of the credit card issuers' rules. He said the records were kept for research but that the practice was immediately discontinued. Transactional records include name, account number, expiration date and security code.
MasterCard told the press that 68,000 of its card accounts were identified as high risk because the data were exported from CardSystems.
In reaction to the news, the Federal Financial Institutions Examination Council, a group of five federal banking regulators, said June 21 that it was looking into the breach.
Even before this breach was revealed, federal legislators were crafting several bills on data security and identity theft. The Senate Committee on Commerce, Science & Transportation considered legislative options at a hearing on those topics June 16.
With a potential 40 million cardholders at risk, the CardSystems breach is seemingly the largest made public. Others have included CitiFinancial with 3.9 million customers at risk, data provider ChoicePoint with 145,000 consumers notified of a breach and LexisNexis with 312,000.
Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters
