Friday, August 17, 2007

Class action law suit filed against Certegy for data breach

Data breaches are likely to become costly to organizations who fail to protect their information. The TJX data breach (45 million people and counting compromised) has inspired several legal actions in both the United States and Canada.

Now a similar action is being brought against Certegy, a check verification company, who had an insider sell information to a still (as far as I know) undisclosed data broker.

An August 15th press release announced:

The law firm of Girard Gibbs LLP (http://www.girardgibbs.com/) has filed a class action complaint on behalf of approximately 8.5 million consumers nationwide whose financial and personal data was stolen by an employee of Certegy Check Services, Inc. and Fidelity National Information Services, Inc (NYSE: FIS) and released to unauthorized third parties. The complaint alleges that a senior database administrator misappropriated the confidential information of millions of consumers and then sold the data to direct marketing firms and data brokers who may have resold it to others.

Certegy and FIS had a duty to safeguard the confidential data of consumers from any breach, including that of their employees. Once the internal breach became known, it should have been communicated to the public in a timely and adequate manner,” said Eric Gibbs, one of the attorneys for the plaintiff. “The failure by these companies to make the internal data breach immediately known exposed consumers to direct marketing campaigns and the risk of unauthorized use of their bank accounts and identity theft.”
This case is interesting because it involves customer information that was obtained at merchants, who used the service to verify whether a person's check, or sometimes payment card was good.

I wrote a couple of posts about Certegy, which received a lot of comments. One comment (in my opinion) by a "Risk Manager" opened up another can of worms:

I think there is a bigger issue here that Certegy does not "own" the data that was stolen but in fact it is records of Certegy customers like businesses that contract Certegy for check-cashing services. I would ask Certegy to confirm what they store on their systems, how long they store it and why bank account and credit card numbers are stored AND investigate if Certegy violated any Visa/PCI mandates.

This seems to be a reasonable question, especially in light of some of the more high profile data breaches, we've recently seen. However in this instance, since all it takes is one person (who has access) to compromise information, it probably wouldn't have made much difference.

The reality is that Certegy sells the fact that they store a lot of information on people to merchants. Without this information, they wouldn't have a service to sell.

Nonetheless, the statement does warrant consideration as to how well third party databases are protected, especially when they contain detailed personal and financial information?

I'm not sure why the data broker, who bought the information hasn't been identified? They are responsible for buying and selling information all the time. Information is worth money and is being sold (some believe haphazardly) all the time.

Recently, it was disclosed that a data broker sold lists targeting elderly gamblers to sweepstakes (lottery) scammers. New York Times article, here.

Current laws enable financial institutions to sell your information, unless you go through a pretty complicated process of opting-out. They are required by law to notify you of your rights, but these are often sent out via snail mail and called "privacy notices." I've often made the mistake of thinking they were junk mail and shredded them.

They don't make it easy for the average person to protect their information.

I wonder how much personal information is sold to people that shouldn't be getting it? Even if we manage to opt-out today, how much of our information is already stored on a database somewhere?

Since the people enabling information to be compromised are making billions of dollars by selling it -- perhaps more of these lawsuits are one way to hold them accountable and bring some sanity to what is becoming a situation -- which seems to get worse all the time?

Of course, more laws to protect consumers are needed, also!

As I stated earlier, this is going to be interesting. I don't know where it will go, but maybe this is a signal to the people data mining our information to wake up and smell the coffee?

If they don't, they might end up dealing with a lot of litigation, which is always very costly.

It also might put them out of business. Dark Reading did an article this week about another third party vendor Verus, who folded after it was disclosed that they lost a lot of people's information from several hospitals. The point of compromise in this situation was the failure of some IT people to leave a firewall up when transferring information between servers.

Here are my two previous posts on the Certegy breach:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

1 comment:

TeaRowz said...

Please see:
http://www.safeplacestylings.com/certegyalert.html
for information about the possible correlation between the Certegy security breach, and ID theft.