News

Debit-card fraud underscores legal loopholes

March 22, 2006

The Register:Recent widespread debit-card fraud likely has roots in three major data leaks that occurred in the last six months. (Read also, Debit card crime ring busted from ZDnet.) The mystery surrounding the data breaches underscores loopholes within the majority of state laws which aim to mandate the disclosure of security breaches. Moreover, the silence over responsibility for the breaches contrasts consumer advocates' warnings that a federal law currently being considered by Congress will ironically roll back protections even further. Despite the recent epidemic of debit and credit-card fraud and last year's titanic breach at CardSystems Solutions, Congress is considering a bill that will let more companies escape taking responsibility for fraud, consumer advocates charge. The bill, known as H.R. 3997 or the "Financial Data Protection Act of 2005," would let companies decide when a data breach is significant enough to merit warning their customers.

There are three cases in which a company suffering a breach can bypass most current notification laws, all of which have some basis in the legislation, first drafted in California. The state of New York's Information Security Breach and Notification Act (S03492), passed in August 2005, however, does not contain the loopholes. A breach that includes any consumers from the state of New York would fall under the law's jurisdiction.