By Maria Trombly | Securities Industry News | May 2, 2005

This hasn't been a good year for personal data security. LexisNexis and ChoicePoint, two information brokerage companies, admitted that data files of more than 455,000 consumers were compromised. Bank of America lost backup tapes containing about 1.2 million credit card accounts.

Federal authorities confirmed an investigation into the hacking theft of 8 million credit card accounts from the processor of credit transactions for MasterCard, Visa, Discover and American Express; DSW Shoe Warehouse disclosed that customer credit information was stolen from over 100 of its stores; and some 180,000 GM MasterCard holders will soon receive notification that someone might have stolen their personal information in a data breach at Polo Ralph Lauren.

The wave of bad news had bypassed brokerage companies--until two weeks ago. Ameritrade Holding Corp. announced that it, too, lost a backup tape during shipping, containing sensitive, unencrypted data from about 200,000 customers.

"We did not lose the information," clarified Katrina Becker, spokesperson for the Omaha, Neb.-based online brokerage. "It was a third party. We did not lose the information. It was a well-known, reputable, shipping carrier."

Because the company has not disclosed the name of the carrier, Ameritrade is taking all the blame so far.

According to Becker, four backup tapes went missing during shipping, three of which were later found inside the shipper's secure facility. The tapes contained data from 2000 to 2003.

In reaction, Ameritrade has already added extra levels of security, set up a hotline number for customers to call, and purchased a year's worth of credit protection for affected clients. Becker noted that there has been no evidence of malfeasance, and there is hope that the missing tape was accidentally destroyed instead of landing in the hands of someone malicious and clever enough to decompress and extract the data and make sense of it.

For security reasons, Becker would not say exactly which additional protective measures have been added. The company is also taking a good look at what it could have done better.

"We are evaluating processes and procedures to ensure we are taking every practicable precaution to protect client data and privacy," Becker told Securities Industry News.

Of course, the data losses pose more than just a PR problem--the major victims are consumers. In February the Federal Identity Theft Data Clearinghouse reported that 38 percent of all fraud claims in 2004 were related to identity theft.

It's only a matter of time before lawmakers get involved, and companies should start bracing themselves now for taking additional precautions when handling customer data and disclosing all breaches that occur.

Senator Dianne Feinstein, D-Calif., has already introduced legislation modeled on a California law that requires data collection companies to notify affected individuals if there is a breach in their data system. California is currently the only state to have such a law.

And in New York, Attorney General Eliot Spitzer has also called for similar legislation.

"Cases of identity theft are on the rise in our society due largely to rapidly changing technology," said Raini Baudendistel, executive director of the Crime Victims Assistance Center in Binghamton, N.Y. in a statement supporting Spitzer. "Currently victims of these crimes face immense obstacles in their attempts to report and prosecute these crimes. Legislation must be passed to begin protecting all of us."

This is likely to cost firms money. "Chances are better than not that if Mr. Spitzer gets involved that there will absolutely be added costs, whether penalties or operating costs, or both," said Jin-Chul (Gene) Kim, an analyst with International Data Corp.

Meanwhile, companies can learn from the problems at Ameritrade and Bank of America and take proactive steps to address this problem, he added.

Both the Ameritrade and Bank of America problems occurred during shipping. "That type of movement of information has to be dealt with in ways not dissimilar to moving cash," Kim said.

Firms should also take a good look at their processes and procedures. "Something did happen, so there were holes," he said. "That said, it's very hard to write policies and procedures that will completely mitigate against somebody doing something stupid."

Finally, firms should prepare for potential data breaches by putting policies in place to protect customer accounts before the disasters strike, so as to have a plan in place.

For example, firms can set up immediate monitoring of affected accounts and flag them for extra security checks during a certain time period. "But that requires that you have all those programs already written," Kim added.