As we embark on 2011, much of the payments industry is focused on converging payment technologies – traditional payment methods meeting and working new technologies.  This progress is exciting on many levels.  We can increase card acceptance, increase purchase and in some cases the purchase size.  These are all good things, but as organizations adopt these new technologies it is important to keep in mind the new risks that are being introduced as well.  Small organizations are especially susceptible to “organic growth” of their information ecosystem.  In other words, the smaller the organization the more likely it is that new processes will be adopted without examining the impact to the data – What new data is being collected? What new data entry points are being added? How will the new data be handled and who will have access to it?

Why are small businesses sometimes more likely to fall into this trap than others?  One reason is simply the lack of in-house resources.  People don’t often go into business out of a burning desire to become data security and privacy experts (unless they are starting a data security or privacy consulting firm). Privacy and data security are extremely complex discussions.  Understanding the nuances of these issues is time-consuming, not to mention often headache inducing.  Small business owners are, rightfully so, concerned with more immediate and pressing concerns like making payroll, paying the rent and ensuring happy repeat customers.

Another, more subtle and insidious, reason for this trap is that many small businesses operate under the assumption that, because they are small businesses, they are “flying under the radar” of data thieves.  In fact, the Privacy Rights Clearinghouse tells a different story.  While the number of records compromised may be smaller this year than last, that appears to be because data thieves targeted more small businesses this year.  The trend appears to be that more smaller businesses were hit than in previous years.  It should also be noted that the 2009 numbers were drastically skewed as a result of the largest data breach ever reported.  In 2010, though, small businesses appeared to be the target of preference for data thieves.  For a complete list of reported data breaches since 2005, visit the list maintained by the Privacy Rights Clearinghouse.

So what is a small business to do?

Ask questions – Many small business rely on merchant service providers.  Those service providers are partners in your business in the respect that your business may depend on their practices.  Ask questions about how they manage security and privacy issues for themselves and their customers.  Ask probing questions about their practices.  Do they offer remote management of POS systems and if so, how do they secure those management sessions?  Does each merchant have a unique username and password?  If you are not comfortable with their answers or they are unable to give answers to your questions, you may be better served to keep searching.

Be Aware – It is extremely difficult to keep abreast of changes in the regulatory landscape or evolving threats to sensitive data. There are firms that maintain a healthy revenue stream by helping companies monitor changing regulation and standards.  However, the card brands often put out bulletins for merchants that alert them to new data theft techniques or evolving methods of data protection.  Visa’s merchant page on security can be found here.  To visit MasterCard Worldwide’s merchant resource page, click here.

Minimize Data Collection and Storage – One of the cardinal rules of data security is “don’t store it if you don’t need it!”   This does require some examination of your current practices to determine exactly what is being collected and stored in terms of sensitive data.  There are companies, ProPay among them, that can help companies process and accept credit and debit card transactions without ever storing, processing or transmitting cardholder data.  Not only does this lessen the burden of complying with the PCI DSS and the various state data breach notification laws, it minimizes the impact should a data thieve decide to target your businesses – if you don’t have data, they can’t steal it.

Dr. Heather Mark, PhD.  SVP  of Market Strategy

On December 18, 2010 President Obama signed into law the Social Security Number Protection Act of 2010.  Despite it’s broad title, the law is fairly narrow in its scope, and it applies only to government agencies, not to the private sector.  The law has two primary provisions. The first prohibits federal agencies from printing the social security number “or any derivative” thereof  of the recipient on any government check.  Government agencies have three years from the effective date of the law to comply with this requirement.  The second clause of the law precludes Federal, state or local agencies from employing convicts in any position that would give them access to social security numbers. ( We need a law to tell us that this is not a good idea?)  Agencies will have one year to comply with this requirement.

Laws like this are good for two purposes 1) protecting our data from those with bad intentions and 2) reminding us how far we still have to go in the protection of that data.  Did we really need a law to tell us that printing SSNs on checks or letting convicts access personal information is bad practice?  Private companies have been held to an increasing number of regulations that often differ in scope, objective, target, etc which only makes the duty of protecting personal data more difficult.  Which law applies and which data must be protected and how must that data be protected?  The myriad of regulations that face organizations can make the protection of data overwhelmingly complex.  There are a number of sources, though, that can help organizations implement strong, comprehensive information programs (information programs include both privacy and security, as opposed to simply “information security programs” or “privacy programs”).  Some of these sources include:

A Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (December 1, 2010)

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Generally Accepted Privacy Principles

Following guidelines like these can help companies proactively address privacy concerns, manage compliance with various state, federal and international laws, as well as prepare for any laws that may be forthcoming.  Being proactive about privacy helps both with compliance and with brand issues.

Dr. Heather Mark, PhD.  Sr. Vice President, Market Strategy

A post in today’s Red Tape Chronicles puts the odds of someone else having your social security number at 1 in seven.  According to the article, this is something of an open secret among government agencies: “The IRS often knows when this happens, when the imposter pays taxes. The Social Security Administration knows, too, for the same reason. And the nation’s credit bureaus usually know, because the imposter often ends up applying for some form of credit.  Plenty of financial institutions also have access to this information.” In August, San Diego company ID Analytics reported that more than 20 million Americans have more than one social security number.  That article indicates that:

• 6.1 percent of Americans have at least two SSNs
• More than 100,000 Americans have five or more SSNs
• More than 15 percent of SSNs are associated with two or more people
• More than 140,000 SSNs are associated with five or more people
• More than 27,000 SSNs are associated with 10 or more people

These statistics likely come as  a shock to many people, who naturally assumed that social security numbers are  used to uniquely identify a particular individual.  These statistics, coupled with the court cases referenced in an earlier post seem to paint a picture in which the social security number is not nearly as “private” or as “protected” as had been widely believed.

In our industry, we tend to focus on the responsibility of the company or organization to protect personally identifiable information.  In that discussion, the individual tends to be exonerated of any culpability in the protection of data.  Certainly, the argument can and has been made that organizations that collect data have a fiduciary responsibility to protect that data.  The individual, though, has an increasing role in ensuring the protection of their own information, as well.  This is not to suggest that if someone’s SSN is misappropriated or misused that the individual is at fault.  What I mean to say is that, in the current climate in which SSNs are commonly misused and the courts have suggested that this is not always in contravention of the law, individuals must become hyper-vigilant in the protection of their own information.  A simple example – If I am filling out an application or dealing with a service provider that requests my social security number, I always ask why it is needed.  Sometimes companies request information because it is “nice to have,” not necessary.  One shouldn’t provide “nice to have” information.

The fact of the matter is that social security numbers currently serve a number of purposes for which it was never intended.  The SSN was intended merely to track an individual’s account within the Social Security Administration.  Over the years, this number has morphed into an all-encompassing identifier for almost every aspect of American life.  Since it was never intended to be as widespread as it is now, there were never any authentication measures built into the 75 year old system.  The fact of the matter remains that attempting to retro-fit privacy controls into an outmoded system is rarely successful.  Unless and until a new system is implemented, consumers will have to take measures to ensure that their SSN is not being misused.

Dr. Heather Mark, PhD. SVP of Market Strategy

Logic would tell us the answer to that question is certainly true.  Social Security Numbers (SSN) are assigned to individuals for a variety of reasons, some advocated by conspiracy theorists and some that are more prosaic in nature.  At its core, the SSN provides the government the ability to track consumption of government benefits, originally social security benefits. Rationally, it would seem that using someone else’s  SSN to derive some benefit would be illegal.  But a number recent court decisions indicate that using one’s own name in conjunction with someone else’s SSN is not necessarily a crime.

Bob Sullivan’s Red Tape Chronicles admirably details several cases in which people were charged with identity theft for using another person’s SSN.  In each of the cases, the courts found that identity theft had not actually been committed.  In one case, an individual had simply made up a nine digit number for use as a social security number.  In another,  a SSN was used to obtain financing for a car.  What is particularly troubling here is that consumers are hearing two radically different stories.

1. You must protect your SSN – the SSN, at the end of the day, still provides almost unfettered access to almost every facet of an individual’s life.  Bank accounts, jobs, mortgages and auto loans, school admissions.  All of these things can be tracked, or compromised, using one’s social security number.
2. The fraudulent use of your SSN is not always a crime – the courts in these cases found that if an individual makes up a number, s/he doesn’t really know if it belongs to someone else and can therefore not have intentionally committed identity theft.  In another case, the courts found that because the SSN was used, but not required, to obtain financing  no identity theft had occurred.

What is interesting here, is that these court decisions are in contradiction to state laws that have been drafted to protect individuals from the unauthorized use of their personally identifying information.  Texas, for instance, has legislated that a person may not “possess, transfer, or use personal identifying information of another person without the other person’s consent and with intent to obtain a good, a service, insurance, an extension of credit, or any other thing of value in the other person’s name.”  Fines for doing so can range from $2,000 to $50,000.  Virginia declares the unauthorized use or disclosure of a social security number to be a class 5 felony.  Similarly, Hawaii classifies the unauthorized possession of “personal, confidential information” as a Class C felony.  It will be of great interest to watch the interplay between these court decisions and the laws of the states in terms of the protection of consumers.

It would seem that, for consumers at least, the lesson here is clear.  The social security number is arguably the most vital piece of personal information available and the courts are demonstrating a reluctance to afford it appropriate protections.  As courts become more lax,  identity thieves may become more bold.   That means that consumers must become hyper-vigilant in the protection of  all personal data.

Dr. Heather Mark, PhD; SVP of Market Strategy