Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
Breaches expose flaws in data privacy laws
BOSTON (4/1/08)--Credit unions backing state privacy and data breach bills might want to check the bills they're supporting for loopholes such as one exposed in Massachusetts' new data privacy law when grocer chain Hannaford Bros. disclosed a sophisticated first-of-its-kind data breach. The Massachusetts statute, like many other similar statutes, requires companies to notify state officials and residents when they lose control of records that could lead to the theft of personal information such as a person's name and credit card number. State officials say the law applied in the case of the Hannaford breach, according to the Boston Globe (March 30). Even though it disclosed the breach, Hannaford says it was not required to make such a disclosure, even after it learned the information from the cards was sent overseas. Hannaford's General Counsel Emily D. Dickinson wrote in a letter to Massachusetts Attorney General Martha Coakley and the state Office of Consumer Affairs and Business Regulation that the loss of card numbers alone does not amount to loss of personal information, as defined by Massachusetts law. She added that Hannaford's notice to regulators was a form of voluntary cooperation. The company did not believe that notice of the breach was required. Thirty nine states have laws requiring some form of disclosure following a breach. Most say the companies involved must file reports when they lose card data with customers' names and other personal details. They don't address what happens when a company experiences the loss of just numbers, without the customers' names, as happened in the Hannaford breach. Most laws include names and data because together they constitute potential identity theft, said Chris Hoofnagle, a specialist in privacy law at the University of California. Hoofnagle told the Globe that losing only numbers is considered less threatening because there's less chance of abuse and because card issuers often forgive many fraudulent charges. Hannaford revealed on March 17 that 300 stores in its system were compromised by a first-of-its-kind data breach that illicitly placed software on the stores' servers and lifted credit and card numbers and expiration dates of 4.2 million customers. The breach was discovered on Feb. 27. It disclosed the details in stages, through a press release, a statement on its website, and the letter to the Massachusetts regulators.


News Now LiveWire
.@MECreditUnions announces winner of @YoungFreeME #SoundOff contest. @Sassquatch_Band will play Old Port Festival in June @PDD_Downtown
18 hours ago
House Financial Services Com. to hold March 3 hearing to receive the semi-annual report of @CFPB Director Richard Cordray.
19 hours ago
Rep. Jeff Miller (R-Fla.) re-introduced bill to ease veterans' access to loans for #smallbusiness purposes from a #creditunion (HR 1133)
20 hours ago
You can get your subscription to @cuna 's free, daily, online #creditunion #news service News Now here:
21 hours ago
CCUA hosts @TheNASCUS college for #creditunion directors
23 hours ago