Lack of transparency surrounding data breaches not a good thing

March 4th, 2009

john-ottmanIn trying to secretly clean up after the series of data breaches of payment card processing companies, Visa and MasterCard are making ineffectual  the data- loss disclosure laws on the books in more than 30 states.  These hard-won laws were intended to put pressure on companies and organizations  to be more accountable for  sensitive consumer data they collect and store.  In a recent Last Watchdog interview, John Ottman, CEO Application Security, Inc., a leading database security firm, addressed some of the nuances, and explained  how the laws themselves are being undermined. Excerpts from L W’s interview with Ottman:

LW: Heartland Payment Systems, Visa, MasterCard and other financial institutions have taken to invoking the “under investigation” loophole as a way to avoid having to formally notify individuals  that their data has been breached.  What’s wrong with that?

Ottman: While the financial services industry says that it supports transparency and open communications with consumers regarding data breaches, in reality, the silence is frequently deafening when banks are hacked. While it is important to communicate judiciously with the public during cyber crime investigations, failure to notify consumers about stolen banking information can have a devastating impact on consumers who are the targets of cyber theft. Accounts that have been breached, but are not vigilantly monitored, can give hackers a critical head start in making fraudulent charges, which can be arduous for identify theft victims to rectify.

LW: Are the data loss disclosure laws in 30 plus states, in effect, thwarted?

Ottman: Many banks are following the legal letter of disclosure laws, but certainly not the intent. The myriad of international, federal, and state laws is creating the unintended loophole for banks to pick and chose which disclosure laws that they comply with.

LW: So where is this all leading?

Ottman: The federal government must take a leading role in cyber security. There is an opportunity for the Obama administration to serve as the focal point for a strong, centralized cyber security policy that addresses the public and private sectors. And it seems like they are quickly taking steps the raise the national importance of cyber security by appointing a cyber security advisor who will report directly to the president.

New federal legislation – and recalibrating existing national laws – can address both the letter of the law and the expressed intent to strengthen our nation’s cyber security defenses…Although industry has traditionally chafed at the notion of enhanced government regulation, in this case a comprehensive set of “smart” regulations may reduce “compliance confusion” while strengthening enhance national data protection efforts.

LW: Can the financial services industry really expect to get away with throwing a cloak around data breaches, especially as waves of ID theft quickly follow?

Ottman: Washington is sending strong signals that regulatory change is coming to Wall Street and bankers on main street. I share the common belief that many financial institutions will need to comply with a new level of transparency and communication with its customers and other institutions within the financial services ecosystem.

Moving forward, safety and trust are going to be key banking differentiators. With interest rates nearing all-time lows, service is going to be pivotal for banks to grow their businesses. As such, security will be critical. You wouldn’t want to live in a neighborhood that is riddled with break-ins and consumers will increasing place their accounts in banks that they trust will safeguard their information.

–Byron Acohido

Photo of John Ottman