From misplaced or stolen laptops to the sophisticated penetration of computer networks by teams of hackers, hardly a day goes by without news coverage of a data breach resulting in the compromise of sensitive data.
In the wake of these publicized breaches, two states, Texas and Minnesota, are moving forward with legislation that sets tougher standards for what information can be stored or shared by organizations and establish penalties in the event of a breach. Other states are sure to follow. This legislation ensures direct marketers – with their dependence on credit card transactions and sophisticated customer data – will remain firmly in the crosshairs of both regulators and cyber criminals.
The Texas legislation, HR 59, deals primarily with measures state entities must take to safeguard Social Security numbers against disclosure to the public. For direct marketers, the key provision of the bill, currently in the Texas House of Representatives, is its prohibition against using Social Security numbers as all-purpose unique identifiers.
The Minnesota law, however, should be of greater concern to direct marketers. It is the first US law to dictate harsh penalties for organizations that improperly retain credit and debit card information that is subsequently compromised in a data breach. The Minnesota law makes it illegal for any person or entity conducting business to retain certain identifying information from a debit or credit card subsequent to the authorization of the transaction.
If a person or entity violates the above prohibition and there is a breach of the person’s or entity’s security system, then that person or entity must reimburse the financial institution that issued any cards affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach to protect the information of its cardholders or to continue to provide services to cardholders, including, but not limited, certain costs incurred in connection with the breach. Although retailers must comply with the law starting August 1, they will not be liable for violations that occur before August 1, 2008.
Direct marketers should ensure that their data-retention practices conform to applicable state and federal laws as well as their agreements with credit card companies. They should also verify and vigilantly maintain the security of their computer networks. Although these compliance efforts are costly in both capital and time, the costs pale in comparison to those of the litigation, legal penalties and loss of sales that could result from a data breach.
As citizens and legislators become increasingly incensed over the proliferation of data breaches, direct marketers and other organizations that handle customer data can only expect data security regulations and the penalties for breaches to become more severe. Anyone who handles credit card transactions will remain a target of both the regulatory and criminal communities for some time to come.
