The Wells Fargo example

Doing the right thing


Opinion Companies should protect consumer data better than Wells Fargo did, but in cleaning up its laptop data spill the bank blazed a trail worth following, says SecurityFocus columnist Mark Rasch.

In July of this year, a new law took effect in California, SB 1386, that requires all companies that do business in the state to "promptly" notify any individuals whose personally identifiable information was potentially compromised by a cyber attack. Last week, we saw the impact of that law when Wells Fargo notified thousands of its customers that their information may have been compromised after a laptop computer containing account data was stolen from a contractor. Wells Fargo also announced that it would pay $100,000 for the return of the laptop.

The case illustrates how the California law is both overbroad on the one hand, and far too limited on the other. While Wells Fargo failed to insist that their contractor adequately secure the laptop in question, and also failed to have the contractor encrypt all sensitive information stored on portable media (including laptops), Wells Fargo deserves kudos for responding appropriately and doing the right thing when the theft occurred.

It now appears that a 38-year-old Home Depot employee from Concord, California stole the laptop computer specifically for the purpose of using the data in it to perpetrate identity fraud. So Wells Fargo's actions in notifying potential victims, and offering to pay to monitor and, if necessary, fix, their credit, should be applauded. All the more so because it went far beyond what the California law required.

Many people assume that when customer account information is compromised, SB 1386 requires that the customer be notified. However, the law requires disclosure of breaches only when a particular type of account information is disclosed. The language of the statute specifically reads:

For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:


(1) Social security number.

(2) Driver's license number or California Identification Card number.

(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.



Unless the information compromised is both the person's name and account access information, SB 1386 does not explicitly require that the potential victim be notified.

Limited Law

This makes sense when you consider the context in which the law was passed. The primary impetus for the legislation was an electronic break-in at the Stephen P. Teale Data Center that, according the bill's analysis, "saw the personal financial information of hundreds of thousands of state workers fall into the hands of computer hackers," providing "a dramatic demonstration of an all too common event -- a breach in data base security which exposes victims to the further harm of identity theft."

Thus, it is clear that the purpose of the legislation was not to alert persons that their privacy may have been violated, but to alert them to particular types of privacy violations -- those that could expose them to the harm of identity theft. The notification is supposed to be timely so the consumer can take prophylactic action. This is one of the problems with the law, because in actuality, simply being notified of a compromise is usually not enough to prevent an identity theft. In this regard, SB 1386 does not really help consumers.

Where a compromised system or laptop contains either a person's name and address or their account information, but not in combination, a company could take the position that no disclosure is required.

However, that can be a dangerous position to take where there has been an actual compromise of personal data. The company suffering the compromise should do the right thing, regardless of the limited scope of the California law. Wells Fargo's handling of its laptop theft provides an exemplary model.

If your company detects a potential compromise of personal information, you should first investigate -- determine as best you can the extent of the loss and the type of data at risk. If information has actually been compromised, notify all of your customers, not just the California ones. Then, do what Wells Fargo did, and offer to pay to protect your customers' personal data -- with fraud reports and credit watch lists.

There is a certain amount of self-interest involved in doing the right thing here. First, you let your customers know that you take their privacy seriously -- and this helps with customer retention. In addition, doing the right thing may stave off legislation that would mandate that affected companies not only notify consumers, but pay for credit reports.

For example, the proposed Identity Theft Consumer Notification Act, H.R. 818, introduced by Congressman Kleczka, would amend the Gramm Leach Bliley act to require financial institutions "reimburse the consumer for any losses the consumer incurred as a result of the compromise of the security or confidentiality of such information, and any misuse of such information, including any fees for obtaining, investigating, and correcting a consumer report of such consumer at any consumer reporting agency." Similarly, the Identity Theft Notification and Credit Restoration Act, H.R. 3233, would require credit reporting agencies to put fraud alerts in a consumer's credit report if personal information had potentially been compromised. The Identity Theft Prevention Act, S.223, introduced by Senator Feinstein, would also require the use of such fraud alerts, but wouldn't go as far as H.R. 818.

Companies like Wells Fargo should remember that they are mere fiduciaries of other people's money, information and privacy, and do the right thing to protect it in the first place. And they should notify consumers promptly if the information is compromised, and help their customers fix any problems that result from the potential breach. It may not be the law, but it's a good idea.

Copyright © 2003,

Mark D. Rasch, J.D., is a former head of the Justice Department’s computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021