Certegy Check Services Inc. said it is doing everything possible to assuage consumers’ fears of identity theft after it became known that a former employee stole 2.3 million consumer records containing credit card, bank account and other personal information.
St. Petersburg, FL-based Certegy Check Services Inc. is a division of Fidelity National Information Services, a financial processing company. A former employee of Certegy, which provides check services to US retail merchants, misappropriated and sold consumer information to a data broker who in turn sold a subset of that data to a limited number of direct marketing organizations.
According to a civil complaint filed by Certegy in the Circuit Court of the Sixth Judicial Circuit in St. Petersburg, FL, the employee was senior level database administrator William G. Sullivan, who had been employed by the company for seven years and who was entrusted with defining and enforcing data access rights.
According to the filing, Sullivan obtained information from Certegy’s database and, either individually or through his wholly owned entity, S&S, was paid for the information by list broker JAM Marketing Inc. JAM had gone on to disseminate the misappropriated information to other direct marketing firms, including Strategia Marketing LLC, Data Secure IP LLC, MC List Escrow Inc.; Quality Resources Inc.; Whitehat.com Inc; and Quality Teleservices Management Inc., doing business as Custom Response Teleservices.
In the court document, Certegy said that the broker and the direct-marketing companies were not aware that the information had been stolen.
No phone listing or Web entry was available for JAM Marketing and MC List Escrow, both of which are based in Seminole, FL. Strategia Marketing would not take calls from a reporter and said it only responded to written questions sent through the mail.
Calls to Data Secure IP LLC were not returned.
A person who did not want to be quoted at Quality Resources Inc. said that while the company was named in the filing, it did not buy data from the entity. An employee of Whitehat.com was not aware of the filing but planned to look into it. Finally, an employee of Quality Teleservices Management Inc., doing business as Custom Response Teleservices, was also not aware of the lawsuit and said that the company buys its data directly from its clients.
The misappropriated information included names, addresses, and telephone numbers as well as, in many cases, dates of birth and bank account or credit card information. Approximately 2.3 million records are believed to be at issue, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the misappropriations occurred.
The data was not used in identity theft or other fraudulent financial activity, Fidelity said. As a result of this apparent theft, the consumers affected received marketing solicitations from the companies that bought the data.
Despite the low risk, Certegy said that it is doing everything possible to ensure that any inconvenience experienced by consumers is minimized.
For example, besides filing the complaint, Certegy officials said they had contacted the data broker and the marketing companies and believed they would be able to get the data back and prevent its future use. Certegy has asked a court in St. Petersburg to order the companies to do the same.
She also said the company will seek civil penalties against the former worker and wants criminal charges filed against him.
Certegy also said it is in the process of making any required notifications to governing state regulatory agencies; has alerted the nation’s three major credit reporting agencies, TransUnion, Equifax and Experian; and has notified Visa and MasterCard of the incident.
The company is also establishing a procedure for financial institutions to obtain information about their customers’ accounts so that they can place them on an active fraud watch; will be personally notifying all affected consumers of this misappropriation, as well as establishing a toll-free hotline to answer consumer questions; and has implemented a fraud watch on its internal systems for those checking accounts that are implicated.
Certegy also said continually reviews its security policies, and is taking steps to help prevent future incidents.
Based on the investigation to date, Certegy does not expect that the costs to implement this action plan will materially impact financial results.
The investigation began in May when Certegy, which maintains bank account information in connection with its check authorization business that helps merchants to decide whether to accept checks as payment for goods and services, learned that some customers were being solicited by telephone and mail. Certegy launched an immeidate investigation and was unable to detect any breach of its security systems. It hired a forensic investigator to validate its findings and contacted the Secret Service.
The Secret Service was able to identify the company supplying the information and, with further assistance from Certegy, determined that the company was owned and operated by a Certegy employee.
The agency contacted the marketing companies to question the source of their information and determined it came from a company owned and operated by Sullivan. Nichols said he did not know how much money Sullivan received.
Data theft has been a problem with several companies. TJX Cos. the operator of T.J. Maxx and Marshalls, disclosed in January that a data theft exposed 45 million credit and debit cards to potential fraud. In February 2006, Scott Levine of Boca Raton was sentenced to eight years in prison in a computer theft case involving more than 1 billion in records collected by data-management firm Acxiom Corp. a Little Rock, AR.-firm. In March 2005, the parent company of Lexis Nexis said hackers got access to personal information as many as 32,000 U.S. citizens in a database owned by Lexis Nexis.
A lawyer with many clients in the direct mArkeitng cindusry said the data theft issue appears to be a situation where Certegy did everything absolutely right, both before and after the theft of the data.
“What the law currently requires is for companies to have in place a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personally identifiable information,” said Joseph Lewczak, a partner at Davis & Gilbert LLP in New York, in an e-mail. “It appears that Certegy did that. Unfortunately, no such security program can prevent a person who has access to such information from stealing it, especially in a case where that person takes the information using a physical process.”
The one thing that Certegy could have done, Lewczak said, could have been to conduct a background check on its employees who had access to the personally identifiable information.
“Given the sensitivity of the information, and the potential legal and financial consequences in the event of a theft or other compromise of such information, a background check is a good step to add to the list of best practices,” he said.
The impact on the direct marketing is a little more disconcerting, Lewczak said.
“It appears that the marketing companies were totally unaware of the fact that the data was stolen,” he aid. [For more comments from Lewczak, including what the issue means to DMers, see www.dmnews.com]
FULL COMMENTS from Mr. Lewczak BELOW:
This appears to be a situation where Certegy did everything absolutely right, both before and after the theft of the data. What the law currently requires is for companies to have in place a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personally identifiable information. It appears that Certegy did that. Unfortunately, no such security program can prevent a person who has access to such information from stealing it, especially in a case where that person takes the information using a physical process.
Once a company discovers that the information has been taken, various state data breach notification laws require a company to notify all those persons who were impacted by the breach. Certegy did that as well.
Indeed, given the various additional steps that Certegy took after the breach was discovered, it appears that Certegy went well above and beyond what it is required to do given current legal requirements. However, what Certegy did by notifying the authorities, investigating the breach, firing the employee, instituting a civil complaint, contact the marketing companies, notifying the consumer reporting bureaus and taking the other steps it took are text book example of best practices as to handle this type of situation. All companies should follow its lead if something similar happens.
The one thing that Certegy could have done that it may not have done was to conduct a background check on its employees who had access to the personally identifiable information. Given the sensitivity of the information, and the potential legal and financial consequences in the event of a theft or other compromise of such information, a background check is a good step to add to the list of best practices.
The impact on the direct marketing is a little more disconcerting.It appears that the marketing companies were totally unaware of the fact that the data was stolen. The Federal Trade Commission and state regulators are increasingly target companies that are the “choke points” of transactions that involve deceptive or unfair acts or practices — that is legitimate companies that can control or stop the conduct of others that they are dealing with. For example, the FTC has put pressure on the media to not accept deceptive weight loss ads, and has also pursued merchants (as opposed to affiliates) in affiliate marketing programs. I see the Certegy situation as an instance where a regulator might pursue the marketing companies, if they didn’t have in place appropriate procedures to determine that the data may have been stolen.
You may ask, what could a direct marketer possibly do in order to ensure this isn’t the case? A regulator would not require the direct marketer to take any more steps than are reasonable in the circumstances. Things to consider as best practices when purchasing or licensing data:
1.Do you know and trust the source? If not, you probably should not rely upon it as being legitimate.
2.Do the terms of the deal appear to be too good to be true? For example, is the cost for the license less than market rate? This should be a clue that something may be amiss.
3.Do you have in place an appropriate written agreement with the seller? The agreement must contain representations and warranties from the seller that the list was obtained in compliance with law, that they have the authority and permission from the persons on the list to transfer the information, and that the direct marketer’s use of the information will not violate any law or the rights of any third party. If the seller is balking at any of these terms, you know there is an issue.