Missouri Passes Breach Notification Law: Gap Still Exists for Banking Account Information

Published: 2009-07-23
Last Updated: 2009-07-23 11:27:12 UTC
by John Bambenek (Version: 1)
2 comment(s)

Earlier this month, Missouri passed a breach notification law as part of on omnibus package of laws under HB 62, It's the a few paragraphs after the law that bans beer-bongs on rivers in Missouri [1]. It is a slightly different variant than most other breach laws but not by much. Here is a brief synopsis of the law with the usual disclaimers [2]. There is still the encryption immunity (if you lose encrypted data you don't have to report). Other than that, it defines private information as name plus and of the following:

  • Social Security Number
  • Driver's License Number
  • Health Information
  • Insurance Information
  • Financial Account Number (with whatever other information gives access to account)
  • "Unique Electronic Identifier" or Routing Code (with whatever other information gives access to account)

I'm not entirely sure what they mean by Unique Electronic Identifier and I don't think by Routing Code they mean ABA Routing Number used for bank accounts.  Regardless, in all cases it still requires name with all those categories for a "reportable" even to occur. For the most part, this makes sense. There is one exception, checking (or other transaction) account information.

While credit cards do have name verification, the ACH system does NO NAME VERIFICATION. If I have your checking account and routing number (which is essentially public), that's all I need to take money out of your account.  That's it, no name, no address, no other information needed. This is a growing problem because the criminals know how easy it is to take money from these accounts and it is becoming a growing target.  A local merchant where I live was compromised and I happened to be one of the lucky ones that paid by check.  First I heard about it was some non-descript information in the news.  Second I heard about it was when I started seeing people buying $100 prepaid cards out of my account.

That vendor was NOT REQUIRED to notify me that they lost my account information because they only went for checking account # and routing #.  As a result, first I knew about it was when money went missing.

Unlike credit cards, checking accounts are painful to close. You can't close them if transactions (even fraudulent) are pending. Unlike credit cards, you have to send in a notarized form within 60 days to get your money back (maybe). And then there is changing all those automatic withdrawals you may have set up. For instance, the US Department of Education Student Loans Department takes 2-3 MONTHS to update automatic payment information (you know, the same people that use the SOCIAL SECURITY NUMBER as the ***USERNAME***[3] for all accounts).

Long story short, pay attention to your bank account information. You have to respond more or less immediately if you notice fraud.  What seems to be typical is seeing a transaction that says DEBIT CARD 800-XXX-XXXX, but that is actually an ACH transaction. (Debit card is a more-or-less credit card transaction and processed over that infrastructure. ACH is a direct deposit or withdrawal using the account information not the debit card information).  If you see those transactions, start the investigation process to get your money back but immediately close the account and open a new one.  If your bank pushes back, get a new bank.

And tell your state legislator to fix the law so bank account number and routing number WITHOUT name are reportable under breach notification laws.

--
John Bambenek
bambenek at gmail /dot/ com

Footnotes -

[1] - Now I gotta change my summer vacation plans... **shakes fist**

[2] - This isn't legal advice and if you take what you read on the internet as actual legal advice, you deserve whatever really bad thing happened to you. 

[3] - **Faceplams**

2 comment(s)

Comments

Hmm, "if you lose encrypted data you don't have to report." My first guess is that applies even if the form of encryption used has been deprecated/cracked. True?
It's not defined in the law, but the law is only enforceable post-breach. Due to the difficulty of tracing a particular event of fraud back to where the data was breached, likely it will be awhile until this is tested.

My hunch, people will go with cheapest available. I don't think you'll see people using some 1960s era encryption, but it won't be top of the line either.

If there was a suit, I would imagine they'd lose if they knew the encryption was deprecated or cracked. That's all conjecture though. Law was written to be squishy so various state AGs can get creative in putting screws to people.

Diary Archives