Businesses That Lose Customer Data May Have To Cover The Costs


Identity theft keeps growing, according to a survey released last week by Gartner, despite businesses' best efforts (or not) to secure their systems.

At least 15 million Americans are now victims of identity fraud, up more than 50% since 2003 when the Federal Trade Commission released its numbers, Gartner says. Americans are also losing more money to identity fraud--$3,257 on average in 2006, compared to $1,849 in 2005--and they're recovering less, an average of 26% less.

Thieves are attacking what are now the weakest links in the U.S. payment system, which are not banks, but businesses that accept electronic payments and consumers themselves, says Avivah Litan, the analyst who wrote the Gartner study. They're stealing credit card and checking account numbers, user IDs and passwords for online accounts.

Litan warns any business that stores this type of information to cut it out until they secure their systems. She also suggests a federal law protecting consumers from financial losses and says businesses should pay for that protection when the data they're keeping is breached.

Spurred on by the gigantic data breach revealed in January at TJX, which compromised millions of customers in four countries plus Puerto Rico, the state of Massachusetts where TJX is headquartered would go even farther. The legislature there is considering a bill to make TJX and other Massachusetts businesses cover the costs when their systems are breached. This would include freezing customers' bank accounts and canceling and reissuing credit cards. There may be a similar bill in Congress, according to Rep. Barney Frank, the Massachusetts Democrat who chairs the House Committee on Financial Services.

No word yet on what might happen to the vendors who sell the software that's getting hacked. Surely the pressure on them to assume financial liability for insecure systems will increase as well.