The young woman behind the register told me my card was declined, so she couldn’t give me my burrito. My first reaction was, “Good one!” She responded with a blank stare.
“That’s got to be a mistake,” I said, glancing at the voluptuous burrito. “You mind trying again, please?”
She shook her head after another failed attempt, handed me back my card and yelled, “Next!” I slumped out of La Victoria defeated. And hungry.
The next day, I called Bank of America. I knew full well I had deposited a check that entitled me to at least a few nights of good eating and drinking.
The customer-service rep told me there had been a breach of security at a business where I had used my card. Identities of an untold number of customers were leaked. All of their cards were frozen. Mine was one of them.
Last month, the same thing happened to more than 360,000 Citibank customers. In April, a 19-year-old hacker in London successfully targeted Sony’s PlayStation network and captured personal information from 70 million subscribers, costing the company $171 million. So far this year 22 million personal records have been compromised—more than double the number in all of 2010.
As a result, banks have adopted hair-trigger response strategies when they suspect a customer’s credit card is being misused. I am aware of this because I bought a plane ticket recently to see family back in the Midwest. BofA did me the kind favor of freezing my account because the transaction was considered suspicious. This is what happens when you rarely make a purchase over $50. We cleared that up.
I called the bank about this more recent suspension of activity. “You should have been mailed out another card,” the operator told me.
“I haven’t received anything,” I said, “and no one contacted me about a breach of security.”
“That’s probably because we send out cards to everyone who has been affected,” she said. “There are too many people to contact individually.”
Annoyed, I asked to speak to a supervisor and sat on hold for the next 30 minutes, contemplating suicide as I listened to a four-second sample of elevator music on a loop. I hung up and started the process over with a new operator and greater sense of wrath.
“I just went through this a couple weeks ago and updated my phone number and email address,” I said. “You have that information, right?”
“Yes, we do, Mr. Koehn.”
“OK, so let me ask you a question.” I sighed to prevent myself from using off-color language for emphasis. “What’s the point of having that contact information if you aren’t going to contact me?”
The operator sat in silence for several seconds. She apologized and repeated that I should look for a card in the mail, adding that I needed to go into a local branch to get a temporary card.
“Alright, one last thing,” I said. “What business had the breach of security so I know to never go to this place again?”
“I’m sorry, I don’t have that information, Mr. Koehn.”
“I just don’t have it, Mr. Koehn”
“Of course, you don’t.”
“Mr. Koehn, if there’s nothing else I can assist you with, would you have a few minutes to answer some questions regarding your service today?”
A similar—admittedly more serious—security breach occurred nine years ago, when hackers gained access to the Teale Data Center, which was the personnel database for almost every state agency and 265,000 public employees.
At the same time, Joe Simitian, then a first-term assembly member, had just introduced a bill requiring banks and businesses to release more information regarding security breaches in a timely manner. The bill was receiving little support and barely made it out of the Senate despite a Democratic majority.
“All of them got a letter a month and half after the fact, including 40 senators and 80 assembly members,” Simitian says. “They all got the same form saying ‘your information may have been compromised.’ All of a sudden there was more interest in the bill. As you might expect.”
Like most people, politicians tend to take more decisive action when an issue directly affects them.
A senior legislator brought Simitian under his wing and helped get the bill passed, putting California at the forefront of protecting consumers from privacy intrusions.
“It worked extraordinarily well in the intervening years,” Simitian says, adding that more than 40 states followed suit with similar legislation.
But since then, the game has changed. The Internet is in a state of perpetual expansion, and the potential for information to slip (or be extracted) through the cracks has never been greater.
According to the Privacy Rights Clearinghouse, 534 million sensitive records have been compromised nationally since 2005.
Safeguards are in place, but little information is currently required to be released about when and where breaches take place. Banks can’t be relied on to voluntarily give up accurate information when something goes wrong with their network. Last week, Citibank reluctantly admitted that its recent breach was almost double the 200,000 records it originally reported, drawing the ire of the U.S. Senate Banking Committee.
Simitian has unsuccessfully submitted additional legislation to strengthen his original effort, but that might soon change. He has a new bill, SB 24, currently being reviewed in committee, that will require businesses to provide those affected by a security breach with the type of information leaked, as well as a better timeline of when it was leaked.
Former Gov. Arnold Schwarzenegger vetoed three prior versions of this bill. With Sen. Jean Fuller (R—Bakersfield) co-authoring SB 24, it has already breezed through the senate and assembly judiciary committee with bipartisan support. It appears likely to land on the assembly floor soon. If signed by Gov. Jerry Brown, the bill would go into effect at the beginning of next year.
“Its one of those relatively obscure issues until you are personally affected,” Simitian says, “and then it matters a lot.”