NYS Consumer Protection says “Action Needed in Heartland Breach”

The following was sent to me by the NYS Consumer Protection Board:

DATE: February 22, 2009


The New York State Consumer Protection Board (CPB) today called on financial institutions and corporations with knowledge of customer data compromised by the Heartland Payment Systems (Heartland) security breach disclosed to the public on January 20, 2009, to immediately take action to protect their consumers.

The CPB encourages the entities involved to implement the following three-pronged approach to protecting consumers:

1. Notify individuals who may have been affected by the security breach directly;
2. Alert customers by conspicuously posting information on their websites and
link to the website created by Heartland Payment Systems www.2008breach.com; and,
3. Issue new debit/credit cards from financial institutions, where appropriate, or provide a brief explanation as to why the issuing of new cards is unnecessary.

In announcing this plan, the CPB acknowledges Heartland for informing consumers of the security breach via the media, and for submitting the New York State Security Breach Reporting form to the proper authorities, including the CPB.

“A breach of this enormity necessitates action on behalf of consumers who, to date, probably don’t even know that their personal and private information may have been affected,” said Mindy A. Bockstein, Chairperson and Executive Director of the CPB. “After careful scrutiny of the actions taken and current law, financial institutions should not sit idly by and do nothing to inform or protect the consumers who rely on them.”

According to the Heartland security breach form, this breach, which may well have been the largest ever reported, did not involve private information as defined by the current statute, and therefore no notification was required under New York State law.

“While it is fortunate that Heartland did in fact notify the appropriate New York State government Agencies, the experience highlights the need to bolster current law to assure disclosure is made to consumers when there is a data breach,” said Chairperson Bockstein.

William Pelgrin, Director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, said, ““Safeguarding private and sensitive information requires continued vigilance by each of us. The threat landscape is constantly changing and each day, new methods are being discovered to take advantage of vulnerabilities. It’s important that all organizations and individuals understand the risks and take appropriate measures to mitigate them. Working collaboratively, we can strengthen the security of our systems and information.”

Director Pelgrin noted that amendments to the existing breach notification statute are currently under consideration. Such amendments will focus on enhancing the protections afforded to New York State citizens by improving the efficacy of the required notifications and facilitating compliance by businesses and State entities.

According to the Security Breach Reporting Form filed by Heartland, a hacking incident led to payment card account number and magnetic stripe information including, in some cases, cardholder names being acquired by unauthorized parties. Neither the total number of persons affected nor the total number of New York State residents affected is known, however, Heartland processes credit card payments for 250,000 businesses nationally, so it is assumed that the extent of the breach is substantial.

Heartland claims it has neither the mailing nor e-mail addresses of cardholders, and, in most cases, the names of those affected by the breach. Visa and MasterCard alerted Heartland of suspicious activity, triggering the company to hold an investigation by “several forensic investigators,” during which the intrusion was discovered, Robert Baldwin Jr., Heartland’s president and chief financial officer, said in a statement. Upon discovery, Heartland notified payment card companies of the incident. Those companies notified their issuing banks.

“Heartland has taken steps, based on the information they have, to inform the public of the security breach. However, it is important that those financial institutions and corporations who utilized Heartland systems take appropriate action to directly inform their own customers. This notification can be accomplished by written notice, e-mail and/or posting on company websites and is critical due to the potential size of the breach to protect consumers,” said Bockstein.

The CPB noted that the Heartland security breach has caused confusion for consumers, many of whom are unclear as to whether they may have been affected, either now or in the future. This is due, in large part, to the manner of the breach and the lack of information being presented to consumers by those entities that were notified by Heartland that their customer data has been compromised. The actions of the data owners vary considerably.

“There is a lack of consistency in the way information is being disclosed to consumers and the way they are being treated varies depending on the credit card issuing entity. We strongly encourage financial institutions and corporations involved in the breach to end the confusion for potential victims by adequately informing the public,” said Bockstein.

The CPB, established in 1970 by the New York State Legislature, is the State’s top consumer watchdog and think tank. The CPB’s core mission is to protect New Yorkers by publicizing unscrupulous and questionable business practices and product recalls; conducting investigations and hearings; enforcing the “Do Not Call” law; researching issues; developing legislation; creating consumer education programs and materials; responding to individual marketplace complaints by securing voluntary agreements; and, representing the interests of consumers before the Public Service Commission and other State and federal agencies.

To file a consumer complaint with the NYS Consumer Protection Board (CPB), call our toll-free hotline at 800-697-1220 or visit the CPB’s website at www.nysconsumer.gov. In addition to the online complaint form, the website is home to important consumer safety information

About the author: Dissent

Comments are closed.