US LAW MUST PROTECT YOUR DATALaw must protect your dataLaw must protect your data
David Lazarus

Wednesday, May 25, 2005
David Lazarus

How many times does consumers' personal information have to be ripped off before lawmakers wake up to the reality that the corporate honor system isn't working?

The latest incident to come to light involves more than 670,000 customers at four different banks. The U.S. Treasury Department is calling it the largest financial security breach in history.

Police say that a New Jersey man was running a ring of "upper-level" bank officials who were bribed to provide data on customers. The data subsequently was sold to dozens of debt collectors and law firms.

Institutions involved include Bank of America, Wachovia, PNC Bank and Commerce Bancorp.

"This is the most outrageous security breach I've run across," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego advocacy group.

"It's one thing for a hacker to get inside a computer and steal data," she said. "It's quite another for a trusted insider to troll through customer records and sell the information."

Indeed, this takes the matter of safeguarding privacy to a whole new level.

It was bad enough when we had to cope with the likes of Wells Fargo repeatedly losing customer files via stolen computers, or data broker ChoicePoint being scammed out of confidential info by identity thieves, to name just two notable examples.

Now we have to worry as well about company officials -- high-ranking ones, no less -- selling our names, addresses and Social Security numbers for personal gain.

In the latest incident, a man identified by police as Orazio Lembo, 35, was running a firm called DRL Associates out of his Hackensack, N.J., apartment. DRL pitched itself to clients as a skip- trace specialist that could help track down people sought for outstanding debts.

Police say Lembo would receive lists of people wanted by debt collectors and would pass the names to his circle of contacts at local banks.

The bank workers, including branch managers and other senior personnel, allegedly were paid $10 for each customer file they turned over to Lembo. Investigators say Lembo in turn would sell the info to collection agencies and lawyers for up to $100.

Lembo, who faces 130 years behind bars if convicted of racketeering and disclosing confidential data, allegedly made millions of dollars over the past four years.

So far, eight former bank workers and a New Jersey state official also have been arrested in the case.

"I don't think we're even close to the total number of bank employees involved," said Capt. Frank Lomia, who's heading the investigation at the Hackensack Police Department. "I think a substantial number of additional people will be arrested."

In some cases, police say, the bankers receiving Lembo's alleged payoffs made as many as 500 record checks a day in search of desired data.

"It's obvious that these individuals had little to no supervision," said Givens at the Privacy Rights Clearinghouse. "If what the police say is true, they were spending the vast amount of their time in a criminal activity."

Representatives of the various institutions declined Tuesday to discuss details of the case or steps being taken to prevent something like this from happening again.

John Hall, a spokesman for the American Bankers Association, said banks routinely conduct background checks of employees, provide extensive training on how to handle confidential info and implement a variety of other security measures.

"You're talking about rogue employees here," he said. "We support prosecution to the fullest extent of the law. That would have a chilling effect on other people who might be thinking about doing something like this."

While that might be the case, it won't deter all corporate insiders from trying to enrich themselves by criminal means. (The death penalty has been around for a long time, after all, but that doesn't stop thousands of Americans from committing murder each year.)

I've said it before and I'll say it again: Companies large and small have proved themselves to be untrustworthy stewards of our personal data.

There's precious little accountability for security lapses that have become all but routine in the private sector, not to mention the actions of rogue employees.

It's time to do away with the honor system. It's time for lawmakers to pass legislation defining clear regulations for the collection, storage and distribution of consumers' confidential information.

"The scope of this growing threat is enormous," acknowledged California Sen. Dianne Feinstein. "It is time that people have a say in how their personal information is shared and stored."

Here are few ideas lawmakers may want to consider:

-- All stored customer data must be encrypted at all times. Period.

-- Sensitive customer info, such as Social Security numbers, must be stored only in secure databases and never in individual computers, particularly easily stolen laptops.

-- Customers must be promptly informed of any potential security breach, no matter how seemingly minor in nature.

-- Any customer affected by a security breach must receive, free of charge, a year's enrollment in a credit-monitoring service.

Moreover, there should be serious consequences for failing to protect customers' personal info. Fines should be imposed in most such instances, and these penalties should be substantial enough to get the attention of senior execs.

The $10 trillion U.S. banking industry, for example, pocketed about $32 billion in profit last year. A fine of $100,000, say, isn't going to prompt a whole lot of hand wringing in the boardroom when customer data go astray.

Lomia at the Hackensack Police Department said his detectives essentially lucked into the banking case. They'd been investigating a burglary involving stolen checks, and one of those checks ended up being cashed by Lembo's DRL Associates.

"So we looked into DRL," Lomia said. "Before you knew it, this thing turned into something much larger."

Could similar rackets be operating elsewhere?

"You never know," Lomia replied