Jan 25 2009

Time for change of legislation for breach notification

Published by under Security

Card fraud and skimming of cards is nothing new and the Malmo region has previously been reported by the Swedish police as the region in Sweden which has the highest rate of card frauds reported. But the question is whether it is not the time to rely on change and tougher requirements regarding the handling of card data and card terminals? The industry itself has previously introduced the industry-standard PCI-DSS (Payment Card Industry Data Security Standard) to set higher requirements regarding the handling of terminals and card data. This does not appear to be enough given the recent fraud against Plantagen Svågertorp, Malmo, which Swedish newspapers Sydsvenskan, SvD and DN write about. Something like consumers should be grateful.

The police have once again chosen to act quickly by going out and warning directly through the media, unlike previous incidents with Toys R Us, Malmö, where it took away 10 days before the media wrote about this. If this was because the newspapers themselves noted the incident or if the police chose to go out with information is unclear.

Then, as now, the problem remains that, as a consumer, you must act and contact your bank to block the card. On this area, the Swedish legislation should be amended so that the affected company or card issuer is required to act by contacting and informing the consumers about incidents when card information has fallen into the wrong hands. To compare with the US, we can look at two laws instituted in California, the California Civil Codes 1798.29 and 1798.82, where companies and authorities have an obligation to inform those affected by data breaches where personal information has come in the wrong hands. This is missing today in Swedish legislation.

Since card information is personal data, this should also be treated as identity theft something that is not reflected in Swedish legislation today. This would probably also result in a higher penalty compared what the courts are setting today.

The stores should also review their routines such as locking in the card terminals overnight as well as daily checks on the terminals. This probably would prevent the incident at Plantagen when the terminals were most likely manipulated during a previous breakthrough New Year’s Eve and without anything being stolen. The break and entry were written off as harmless without any reflection being made that the burglary itself might be a diverting maneuver to manipulate the terminals. Similar circumstances occurred early 2008 wich involved Swedbank in a fraud scheme which involved equipment to take remotely take control over PC on the local office network against one of Swedbank’s branch offices in Uppsala. Again, this was reported as a break and entry which didn’t work out and the police were fast to close the case. In Swedbank’s case, equipment was discovered to remotely control a computer in an attempt to carry out larger transactions. In both cases, it is assumed that there have been insufficient routines regarding the follow-up of the break and entry attempt.

In connection with media reports about the skimming equipment discovered at Toys R Us in Malmö, a stressed company issued a press release informing that they’ve changed their routines on how they handled the terminals once they discovered the skimming equipment which previously was discovered 10 days earlier. Nevertheless, it was possible to read in the newspapers that identical skimming equipment had been found at Toys R Us branch in Stockholm. So while they might very well have changed their procedures, it either stopped at the store in Malmo or that it just was a papers exercise.

Kim Haverblad

Comments Off on Time for change of legislation for breach notification