You can’t possibly have missed the flurry of articles in the press over the past few years regarding identity theft and the measures being taken (or vulnerabilities exposed) to protect the non-public, personally identifiable financial information consumers access, use and provide in the course of routine payment transactions—both off and online. Indeed, several years ago, the Payment Card Industry (“PCI”) began formulating it’s own self-regulatory standards governing the protection of consumer information relating to the processing of credit, charge and debit card transactions. This has led to the development of the PCI Data Security Standards (“DSS”) and corresponding Data Security Audit Guidelines. In broad terms, the PCI DSS requires the protection (by encryption or other effective means) of personal information in the payment card process—whether in storage, card processing, point of sale/purchase, recordkeeping—in every link in the chain of payment using a payment card or device linked to an account at a financial institution.
As a result of the furor over the release of private information—including releases from governmental agencies and databases (e.g., social security numbers, drivers license numbers)—more than 30 states have passed specific legislation requiring companies that know, or reasonably suspect, that data, databases or electronic/digital information involving personal information of consumers has been compromised or actually leaked, to disclose and notify consumers affected (or potentially affected) by the security lapse or potential breach. Federal legislation has been proposed, although nothing has yet been enacted, and the states have stepped in to fill the perceived gap and protect the information of its citizens, and to regulate the conduct of companies doing business within their borders.
Much of the angst over the private sector, commercial transaction compromises over security—starting most visibly with ChoicePoint several years ago and continuing in a steady stream thereafter—arises from the fact that retail merchant establishments have traditionally not had to worry about privacy and the secure management of customer personal and financial information, primarily because they haven’t been regulated or needed to do so. Enter the digital age of information and the ability of marketing and advertising gurus (within and for retailers) to data-mine and use vast amounts of previously cumbersome and often unattainable information about customers. If information has always been power, than digital information transforms that power exponentially, at the speed of light (literally for those physics majors masquerading as lawyers or marketing professionals).