Since it appears most banks aren't going to notify customers whose credit card information was stolen in the CardSystems security breach, here's a suggestion. How about we all turn in our credit cards and get new ones?
A whole lot of disturbing things have come out the last few weeks in the unfolding story of the CardSystems credit card fiasco. Yet another company possessing millions of records of consumers who never even heard of the operation carelessly allows data thieves to pilfer them at will. Once again, the breach occurred in a space where privacy laws and government regulations don't seem to apply. And, of course, all the politicians promise that this time they really, really, really are going to do something about it, as soon as the big financial institutions tell them what.
I think, however, that one aspect of this situation deserves far more scrutiny -- the notification policies that have been adopted by the banks that entrusted our credit card numbers to CardSystems in the first place. Although 40 million of their customers were apparently exposed, and at least 200,000 credit card numbers are said to have been accessed by the identity thieves, many of the major banks are saying that they will only monitor those accounts closely. Only if there are signs of actual credit card fraud, rather than just the potential risk, will they take action.
The banks argue that, because they are good and getting better at detecting credit card fraud, it's best to leave it up to them to sniff out what's being done with the CardSystems data. "If we see fraud -- not just potential fraud -- we will notify the customer and secure the account," says David Chamberlin, a spokesman for Chase, the largest credit card issuer. "People should understand that (because only the card numbers and cardholder names were stolen), there is no threat of identity theft here. If anything comes of this, it will be fraud. And, at the end of the day, our incentives to protect our customers from credit card fraud are very great, because a lot of the liability for that is paid for by us. And the systems we have in place to detect that fraud are very sophisticated - we stop around 80 percent before it even happens."
But don't the tougher state privacy laws -- like the one in California that first led to the security breach revelations -- require the banks to notify their customers? Well, Chase doesn't think so. "Even the strictest of laws, like the one in California, require more identifying information like the individual's social security number or an account password be involved," Chamberlin told me. "None of those things were accessed in this case."
Others, however, believe that whatever the rules and regulations say, the banks have a responsibility to notify all those at risk. "Whatever the law actually says, we believe these companies should make a good faith effort to contact their customers," says Susanna Montezemolo, policy analyst with Consumers Union. "We fundamentally believe that when sensitive personal information like your credit card number has been stolen -- which is data that can do you a lot of harm -- you should be notified. It shouldn't be just up to the banks to decide what the probability of harm is. It's the consumer's information that was stolen, through no fault of their own, and it's the consumer who should decide."
Montezemolo believes the banks are being shortsighted in trying to avoid notifying their customers. "I think they are doing their customers a disservice, and ultimately they are doing themselves a disservice as well," she says. "Concerned consumers do have one way of acting in their own interests in this case. They can say, fine, if you're not going to tell me whether my data was stolen, give me a new card. It's too bad that we have to go through the inconvenience of getting a new card number, but that's the position the banks are putting us in if we want to protect ourselves."
It's true that the banks do have incentives to protect us from card fraud, but it's also true they have some incentives for keeping us in the dark. The banks say we can trust them to detect fraud, but they are the ones that entrusted our data to CardSystems and failed to detect how it was being misused. So perhaps the banks fear their liability here goes further than just reversing unauthorized charges.
To be fair, reports indicate that at least a few banks are coming clean with their customers. Perhaps, then, all we need to do is give the rest of them a little push by demanding we all be treated the same way. After all, those banks that weren't even using CardSystems should be more than happy to tell us so.
Changing credit cards numbers can be a royal pain, so I'm not advocating everyone necessarily do that just yet. If enough customers push by continuing to demand information from their banks, I believe our financial institutions will see the light. It just makes sense that every bank should inform every customer whether or not their credit card info was in the CardSystems files, and, if so, whether it's known to have been accessed by the thieves. But if ultimately your bank refuses to tell you anything, then you have to assume the worst. And then you should not just get a new credit card number -- you should get yourself a new bank.
Read and post comments about this story here here.
9:33:18 AM 
|
|
