Companies should protect consumer data better than Wells Fargo did, but in cleaning up its laptop data spill the bank blazed a trail worth following.
The case illustrates how the California law is both overbroad on the one hand, and far too limited on the other. While Wells Fargo failed to insist that their contractor adequately secure the laptop in question, and also failed to have the contractor encrypt all sensitive information stored on portable media (including laptops), Wells Fargo deserves kudos for responding appropriately and doing the right thing when the theft occurred.
It now appears that a 38-year-old Home Depot employee from Concord, California stole the laptop computer specifically for the purpose of using the data in it to perpetrate identity fraud. So Wells Fargo's actions in notifying potential victims, and offering to pay to monitor and, if necessary, fix, their credit, should be applauded. All the more so because it went far beyond what the California law required.
Many people assume that when customer account information is compromised, SB 1386 requires that the customer be notified. However, the law requires disclosure of breaches only when a particular type of account information is disclosed. The
For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Unless the information compromised is both the person's name and account access information, SB 1386 does not explicitly require that the potential victim be notified.
This makes sense when you consider the context in which the law was passed. The primary impetus for the legislation was an electronic break-in at the Stephen P. Teale Data Center that, according the bill's analysis, "saw the personal financial information of hundreds of thousands of state workers fall into the hands of computer hackers," providing "a dramatic demonstration of an all too common event -- a breach in data base security which exposes victims to the further harm of identity theft."
Thus, it is clear that the purpose of the legislation was not to alert persons that their privacy may have been violated, but to alert them to particular types of privacy violations -- those that could expose them to the harm of identity theft. The notification is supposed to be timely so the consumer can take prophylactic action. This is one of the problems with the law, because in actuality, simply being notified of a compromise is usually not enough to prevent an identity theft. In this regard, SB 1386 does not really help consumers.
Where a compromised system or laptop contains either a person's name and address or their account information, but not in combination, a company could take the position that no disclosure is required.
However, that can be a dangerous position to take where there has been an actual compromise of personal data. The company suffering the compromise should do the right thing, regardless of the limited scope of the California law. Wells Fargo's handling of its laptop theft provides an exemplary model.
If your company detects a potential compromise of personal information, you should first investigate -- determine as best you can the extent of the loss and the type of data at risk. If information has actually been compromised, notify all of your customers, not just the California ones. Then, do what Wells Fargo did, and offer to pay to protect your customers' personal data -- with fraud reports and credit watch lists.
There is a certain amount of self-interest involved in doing the right thing here. First, you let your customers know that you take their privacy seriously -- and this helps with customer retention. In addition, doing the right thing may stave off legislation that would mandate that affected companies not only notify consumers, but pay for credit reports.
For example, the proposed
Companies like Wells Fargo should remember that they are mere fiduciaries of other people's money, information and privacy, and do the right thing to protect it in the first place. And they should notify consumers promptly if the information is compromised, and help their customers fix any problems that result from the potential breach. It may not be the law, but it's a good idea.