|CNN's Allan Chernoff reports on a security breach at a third-party payment processor that is impacting millions of credit card users. (June 20)|
NEW YORK (CNN/Money) – Over 40 million card accounts potentially exposed to fraud is a big deal. But is it unusual?
The breach that occurred at CardSystems Solutions, involving 22 million Visa cards, 13.9 million Mastercard cards and over 4 million cards of other brands, may be the biggest yet. But that's hard to say definitively.
Here's why: Until 2004 -- when California enacted the first law of its kind in the country -- businesses weren't required to disclose breaches that exposed consumers' personal information. Breaches were rarely, if ever, reported publicly.
Since large companies do business in more states than California, complying with the California law forces their hand to alert consumers in every state.
That's in part why we've been bombarded in recent months with reports of data breaches at consumer information aggregators like ChoicePoint, retailers like DSW and companies like Bank of America and Time Warner, parent company of CNN/Money.com.
Not including the CardSystems breach, 10 million consumers have had their information exposed in breaches since February alone, said Gary Clayton, founder and CEO of Jefferson Data Strategies, which advises businesses on compliance with privacy laws and data protection.
Shy of outlawing computers and pulverizing databases, "(Breaches are) not something that can be prevented entirely," said Michael Brown, president of CardCops.com, which alerts consumers and merchants to potential breaches of personal information.
Most of those breaches typically occur on smaller companies' systems, though, Brown said.
The cost of minimizing breaches
State-of-the-art technology and a crack IT team help in minimizing breaches. So, too, can encrypting data, which few companies currently do but may soon take up. "It's not cheap," Clayton said.
In the case of credit card fraud, some say there's not a lot of financial incentive for credit card companies and issuers to do more to protect consumer information since they're not footing the bill.
It's the merchants who shoulder most of the costs. Consumers are not liable for the charges, but the merchant is – he doesn't get paid for the item purchased and must pay a fee for reversing the unauthorized charge.
Clayton disagrees that the credit card industry gets off scot-free, noting studies that suggest the overall cost of a disclosed breach that damages the reputation of a publicly traded company can be as high as 10 percent of the company's market capitalization.
The cost of replacing credit cards at risk of fraud is between $7 and $10 per card alone, he estimates.
By that reasoning, it's in the interest of credit card companies and issuers to minimize fraud. And many of the process costs for doing so "are not exorbitant," Clayton said.
They're primarily standardized costs to set up a process for detection, including a forensics examination if a breach occurs, and notifying consumers and law enforcement.
But the cheapest way to minimize breaches is adherence to sound data protection policies. "Most (breaches) are a failure to follow good business practices," he said.
The latest example is CardSystems, which admitted it was out of compliance with Mastercard's and Visa's security policies when the breach occurred.
What's Washington doing?
Since passage of California's disclosure law, identity theft – along with the business practices and black market that facilitate it – has become the focus of national debate.
It also has kicked legislative hearings on the issue in Washington into higher gear.
Of all the proposals to increase consumer protection, a national disclosure law is the one Clayton thinks has the best chances of passing.
But privacy advocates say businesses that profit from the unrestricted flow of personal information will do what they can to make it as unimposing as possible.
"Retailers and banks are trying to pass a law that's much weaker," Chris Hoofnagle told CNN's Aaron Brown on Monday. Hoofnagle is the director of the West Coast office of the Electronic Privacy Foundation.
More than disclosure, privacy advocates would like to see laws in place that give consumers far greater control over which companies can access and sell their data.
To learn more about what they are proposing and the complex network that trades in personal data, click here.
Am I at greater risk?
Mastercard made a point of saying that no highly sensitive personal information – such as Social Security numbers – were exposed in the breach. And thus far, Mastercard and CardSystems say that of the 40 million accounts exposed, they've only seen evidence that 200,000 of those accounts were exported by the hackers.
The hacking that occurred at CardSystems is the next generation of skimming, said Tom Kelly, a senior investigator at computer forensics firm Stroz Friedberg Investigations and a former credit card fraud investigator for the Postal Service and Citigroup.
When a credit card is skimmed, a cardholder's name, account number and security code are scanned, stored and used to create counterfeit credit cards, which are then sold.
Just having a name, credit card account and security code alone are not enough for a thief to steal your identity, but they can help. Just like private investigators and law enforcement officials, "(thieves) can use a little bit of information to get more," Brown said.
That's why it pays to monitor your accounts closely for suspicious activity and to get a new account number issued right away if you notice anything askew.
To read more about the breach at CardSystems, click here.