Consumer data storage

The 40 million people affected last month by a data breach at the US offices of CardSystems Solutions will find little comfort in knowing they are not alone.

As early as February, more than a million US federal government charge card holders found themselves similarly exposed at the Bank of America. In March, it was 1.4 million customers of DSW Shoe Warehouse.

Since then, cardholders at Polo Ralph Lauren, LexisNexis and Time Warner have also suffered.

Mastercard, which had 13.9 million customers affected by the CardSystems breach, immediately called for a tightening of the Gramm-Leach-Bliley Act (GLBA).

"Currently, GLBA only applies to financial institutions providing services to consumers, including MasterCard," said the company in a statement. "MasterCard urges Congress to extend that application to also include any entity, regardless of whether or not they interact directly with consumers."

But some argue that mere regulation will not help, and that industry needs a different attitude towards consumer data storage.

"It's very difficult because data has to be available to those who check it, in as easy a way as possible. But it also has to be secure," said Clive Longbottom, principal analyst at analyst firm Quocirca.

"What we need to see is a movement towards hashed data, rather than securing the perimeter. If a company was only verifying hashed numbers, then all anyone who steals information would get is a useless figure rather than account details."

According to Longbottom, the biggest hurdle facing data brokers is moving people over to the new system.

"It's one of those 'if I want to get there I wouldn't start from here' situations," he said. "But this will continue to happen unless industry tightens up its act."

The Gramm-Leach-Bliley Act of 1999, also known as the Financial Services Modernisation Act, provides protection against personal information theft. According to GLBA, banks, brokerage and insurance companies must store personal data securely. So far, the Act does not cover third-party firms such as CardSystems, which will not face any legal ramifications as a result of this month's breach.