by David Lazarus
A data-security breach that resulted in numerous people having their
debit cards canceled this week is actually much larger than first
As first reported in my Thursday column, an unspecified number of Bank
of America customers have received letters warning that accounts may
have been compromised "at a third-party location unrelated to Bank of
BofA has said only that the unnamed company is not a bank affiliate.
But well-placed sources within the banking and credit card industries
now tell me that the company in question is a leading retailer in the
Those sources also place the total number of consumers affected by the
security breach at nearly 200,000.
Washington Mutual confirmed Thursday that it too was involved in the
breach and is replacing customers' debit cards.
Wells Fargo reiterated only that the bank protects customers "if we
discover they are at risk for unauthorized transactions." However,
multiple Wells Fargo customers told me they've received new debit
cards from the bank via FedEx.
It's unclear at this point whether the retailer violated state law by
not directly notifying customers of the breach, instead allowing
customers to be ambiguously alerted by their banks.
State Sen. Jackie Speier, D-Hillsborough, a leading privacy advocate
in Sacramento, said the spirit, if not the letter, of the law appears
to have been violated.
"The intention of the law was not to create anonymous notifications,"
she told me. "It was to link the consumer with the company being
Banking industry sources said they were notified last month by Visa
and MasterCard that the computer system of a prominent merchant had
been penetrated by a computer hacker, and that account information for
thousands of customers had been endangered.
Rosetta Jones, a spokeswoman for Visa USA, acknowledged Thursday that
the incident involved a U.S. merchant that "may have experienced a
data security breach resulting in the compromise of Visa card account
"Upon learning of the compromise," she said, "Visa quickly alerted the
affected financial institutions to protect consumers through
independent fraud monitoring and, if needed, reissuing cards."
Sharon Gamsin, a spokeswoman for MasterCard International, said the
credit card company had been informed of "a potential security breach
at a U.S.-based retailer."
"We have notified the banks that issue MasterCard cards to monitor for
any suspicious account activity and take the necessary steps to
protect cardholders," she said, adding that MasterCard "will continue
to monitor this event."
In any case, a serious issue raised by the incident is whether a
business can avoid compliance with a California law requiring that
customers be notified in the event of a security breach
State law requires that any company "that owns or licenses
computerized data" must notify consumers if any personal info is
"acquired by an unauthorized person."
The law defines ownership of data as being "part of the business'
internal customer account or for the purpose of using that information
in transactions with the person to whom the information relates."
Tom Dresslar, a spokesman for Attorney General Bill Lockyer, said the
retailer whose security was recently breached would be liable for
notifying customers only if it was maintaining a database of account
info and that database was compromised.
"Merchants clearly have notification requirements under the statute,"
he said. "The responsibility of this retailer is unclear based on the
But Ray Everett-Church, who runs a San Jose privacy consulting firm
called PrivacyClue, said this position undermines the intent of the
law, which took effect in 2003.
"Part of the intent of the law is for companies with lax practices to
be held accountable," he said. "If they can hide behind card issuers,
it calls into question whether merchants have a real incentive to
improve their practices."
The law, Everett-Church said, "is intended to increase the risk for
companies so they are encouraged to fix problems before they become
Speier agreed with this interpretation, observing that if the merchant
in the latest case remains unidentified, its consequences for a
serious security breach have been minimized.
"You're insulating that company from any downside or loss of business
that might occur as a result of the breach," she said.
David Lazarus' column appears Wednesdays, Fridays and Sundays. Send tips
or feedback to email@example.com.
Copyright 2006 San Francisco Chronicle