Chairpersons Jackson and Correa, and members of the Senate Judiciary and Banking Committees:
Thank you for the opportunity to testify today on the topic of data breaches.
I’m Beth Givens, the director of the Privacy Rights Clearinghouse. We are a nonprofit consumer education and advocacy organization, based in San Diego and established 21 years ago in 1992.
Since 2005, we have maintained a list of data breaches on our website – breaches from all sectors of the U.S. economy. While breaches in the retail sector have not been as numerous as, say, breaches in the education sector, nonetheless there have been a few large ones. The Hannaford Brothers Supermarket chain, for example, experienced a breach of 4.2 million credit and debit card numbers in 2008. However, based on our records, the recent Target breach, at 40 million credit and debit card data, appears to be the largest breach in the retail sector, and among the largest among all sectors. – And by the way, we are the first to admit that our list, while extensive, is nowhere near complete.
A question that is often asked is this: What is the relationship between data breaches and actual identity theft? If my personal data has been compromised in a data breach, does that mean that I’m more likely to become a victim of identity theft?
The California company, Javelin Strategy and Research, has done some important research regarding this question. Their February 2014 report states that “nearly one in three data breach victims in 2013 also became a fraud victim in the same year. This is up from one in four in 2012.”
Javelin also states that criminals have gravitated away from the misuse of Social Security numbers to instead focus on compromised payment card data. In other words, they have moved away from “new account fraud”, in which Social Security numbers are key … to “existing account fraud,” in which payment card data is used to commit fraud.
It has become a “best practice” for breached organizations to provide individuals with credit monitoring services free of charge for one year following the breach. Such services are useful in tracking any changes in your credit report– so you can detect the opening of fraudulent new accounts in your name.
In fact, Target has offered those individuals whose credit and debit cards were used to shop there from Black Friday to mid-December the ability to sign up for a credit monitoring service.
But … what’s wrong with this picture? In the case of Target, it’s not Social Security numbers that were exposed – so it’s highly unlikely that shoppers will become victims of crooks opening up brand new credit cards in their name. Instead, Target shoppers are at risk for existing account fraud – in which counterfeit credit and debit cards can be made and used by criminals to go on shopping sprees.
I am critical of Target for offering credit monitoring to their shoppers. Most consumers don’t know the difference between existing card fraud and new account fraud. And those who sign up for Target’s free credit monitoring service will get a false sense of security and think they are immune from fraud on their credit or debit card. For this reason, I am critical of Target for offering an inappropriate remedy to its shoppers, even though I do understand their public relations reason for doing so.
And speaking of the higher risk for payment card fraud among recent Target shoppers, I’d like to comment briefly on the differences in impact between credit card fraud and debit card fraud on consumers. If a debit card user becomes a victim of fraud, it’s likely that their checking account could be wiped out. Yes … financial institutions promise that they will quickly replenish those funds. But we have talked with consumers who were left with zero balances in their checking accounts while the financial institution investigated the crime – from a couple weeks to more than a month.
Meanwhile, if an individual is a victim of credit card fraud – and I’m one of those, as I would imagine many people in this room are – their funds are untouched while the investigation is conducted. They don’t have to face the disastrous consequences of having their checking account drained. Because of this, we at the Privacy Rights Clearinghouse strongly recommend that consumers do NOT use debit cards.
This panel’s focus is on the data breach notice law. And in closing, I will make two brief comments about California's existing law.
First, I think the notice exemption for encrypted records needs to be re-examined. Computer technology has advanced significantly since the implementation of the law in 2003, and powerful computers are now much more capable of unscrambling encrypted data. I ask the question: is it time for the encryption provision to be removed?
And finally, I would recommend that breaches of paper records be added to the data breach notice law. Several states include such a provision in their data breach laws. And here in California there have been many major breaches in which paper records have been compromised.
Thank you for the opportunity to testify today. I wish you the best in your deliberations on this important issue.