Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
Breaches expose flaws in data privacy laws
BOSTON (4/1/08)--Credit unions backing state privacy and data breach bills might want to check the bills they're supporting for loopholes such as one exposed in Massachusetts' new data privacy law when grocer chain Hannaford Bros. disclosed a sophisticated first-of-its-kind data breach. The Massachusetts statute, like many other similar statutes, requires companies to notify state officials and residents when they lose control of records that could lead to the theft of personal information such as a person's name and credit card number. State officials say the law applied in the case of the Hannaford breach, according to the Boston Globe (March 30). Even though it disclosed the breach, Hannaford says it was not required to make such a disclosure, even after it learned the information from the cards was sent overseas. Hannaford's General Counsel Emily D. Dickinson wrote in a letter to Massachusetts Attorney General Martha Coakley and the state Office of Consumer Affairs and Business Regulation that the loss of card numbers alone does not amount to loss of personal information, as defined by Massachusetts law. She added that Hannaford's notice to regulators was a form of voluntary cooperation. The company did not believe that notice of the breach was required. Thirty nine states have laws requiring some form of disclosure following a breach. Most say the companies involved must file reports when they lose card data with customers' names and other personal details. They don't address what happens when a company experiences the loss of just numbers, without the customers' names, as happened in the Hannaford breach. Most laws include names and data because together they constitute potential identity theft, said Chris Hoofnagle, a specialist in privacy law at the University of California. Hoofnagle told the Globe that losing only numbers is considered less threatening because there's less chance of abuse and because card issuers often forgive many fraudulent charges. Hannaford revealed on March 17 that 300 stores in its system were compromised by a first-of-its-kind data breach that illicitly placed software on the stores' servers and lifted credit and card numbers and expiration dates of 4.2 million customers. The breach was discovered on Feb. 27. It disclosed the details in stages, through a press release, a statement on its website, and the letter to the Massachusetts regulators.


RSS print
News Now LiveWire
NCUA re-schedules start of tomorrow's closed meeting to 9 a.m. ET. Open meeting still at 10 a.m. ET.
2 minutes ago
.@lisamurkowski @SenatorEnzi @SenJohnBarrasso are latest to weigh in on NCUA risk-based capital proposal. See #NewsNow tomorrow for more
35 minutes ago
Now up on News Now: Fed stays course on taper, interest rates http://t.co/6DntsW58vA
2 hours ago
Positive performance indicators and the potential for rising interest rates in @TheNCUA 's latest economic update. http://t.co/yptPbIGvnU
5 hours ago
The @CFPB has launched a nationwide effort to provide financial education. http://t.co/sF3FXHpv3k
6 hours ago