Missing Tape With Consumer Data Causes ABN AMRO To Change Data Transfer Methods, Highlights Folly of Proposed Federal Legislation

In November of 2005, ABN AMRO Mortgage lost a computer tape containing the financial information of more than 2 million residential mortgage clients. The tape was being used to transfer updated credit information to Experian; one of the three major credit reporting agencies. The tape had been shipped using DHL and disappeared while in transit. Although the tape was later recovered, the incident and its ensuing bad publicity has been enough to get ABN AMRO to change the way that it handles consumer data.

ABN shipped the tape to Experian on November 18, 2005. From that point it is unclear where it was, or who had access to it for the next month. It was discovered by DHL employees on December 19, 2005 and it was missing its air-bill.

DHL repackaged the tape and sent it back to ABN but by that time, the FBI was involved in an investigation. Once the tape was recovered, the company began notifying consumers about the data loss and recovery.

There was never any doubt that ABN AMRO Mortgage would begin notifying consumers of this mishap. The tape contained data on 201,495 California consumers. This meant that by California law, ABN had to notify those consumers that their data may have been exposed to identity thieves. ABN was left with little choice but to notify all consumers that may have been exposed, regardless of the state in which they reside.

Although the loss of the tape was inconvenient for consumers, the publicity surrounding it has had some positive impact on ABN. At the time of the loss, ACCESS publicly questioned the wisdom of shipping consumer data via a messenger service. Electronic data transfer is significantly more secure when it is done correctly. Well, apparently ABN agrees. Following the loss of the tape, ABN suspended all future physical data tape transfers. The company has now switched to electronic data transfer.

The ABN incident is noteworthy for a couple of reasons.

First, state laws in California, and 19 other states at the time of the incident, forced ABN to notify the public of the data loss. These notifications allowed consumers to take additional action to protect their identities’. In the states that allow it, consumers were even free to freeze their credit file; making identity theft nearly impossible.

Second, the incident points out that when you shine the light of day on data breaches, companies will change their business practices. These changes benefit the public but they are expensive and embarrassing to the businesses that are forced to make them.

Over the past few days ACCESS has been talking about a bill that is moving through Congress; HR 3997. If that bill had been law at the time that DHL lost ABN’s tape, no consumer notifications would have been required. Furthermore, it is highly doubtful that ABN would have made any changes to their business practices.

Among other things, HR 3997 overrides state notification laws in favor of a weak national standard. Under that standard, businesses are allowed to determine on their own if a data loss could lead to identity theft. If their determination is that the risk is minimal, no notification is required.

The bill also overrides any state laws that allow consumers to freeze their credit file. Under HR 3997 only those who have already become victims of identity theft will be given this privilege.

And finally, HR 3997 takes away the power of State’s Attorney General to enforce the law. All regulatory authority is given to the FTC. The FTC is currently in charge of identity theft matters at the federal level, and has already proven that it is incapable of controlling it.

HR 3997 is backed by the banking industry, insurance companies and data brokers. All of these industries have lobbied hard to win passage of this bill, which has a nearly identical counterpart moving through the Senate. If you would like your congressional representatives to oppose this bill, you can let them know how you feel by clicking here and submitting a letter to them.

Technorati Tags : identity+theft, privacy, credit+freeze, data+breach