Data breaches are likely to become costly to organizations who fail to protect their information. The TJX data breach (45 million people and counting compromised) has inspired several legal actions in both the United States and Canada.
Now a similar action is being brought against Certegy, a check verification company, who had an insider sell information to a still (as far as I know) undisclosed data broker.
An August 15th press release announced:
The law firm of Girard Gibbs LLP (http://www.girardgibbs.com/) has filed a class action complaint on behalf of approximately 8.5 million consumers nationwide whose financial and personal data was stolen by an employee of Certegy Check Services, Inc. and Fidelity National Information Services, Inc (NYSE: FIS) and released to unauthorized third parties. The complaint alleges that a senior database administrator misappropriated the confidential information of millions of consumers and then sold the data to direct marketing firms and data brokers who may have resold it to others.
“Certegy and FIS had a duty to safeguard the confidential data of consumers from any breach, including that of their employees. Once the internal breach became known, it should have been communicated to the public in a timely and adequate manner,†said Eric Gibbs, one of the attorneys for the plaintiff. “The failure by these companies to make the internal data breach immediately known exposed consumers to direct marketing campaigns and the risk of unauthorized use of their bank accounts and identity theft.â€
This case is interesting because it involves customer information that was obtained at merchants, who used the service to verify whether a person’s check, or sometimes payment card was good.
I wrote a couple of posts about Certegy, which received a lot of comments. One comment (in my opinion) by a “Risk Manager” opened up another can of worms:
I think there is a bigger issue here that Certegy does not “own” the data that was stolen but in fact it is records of Certegy customers like businesses that contract Certegy for check-cashing services. I would ask Certegy to confirm what they store on their systems, how long they store it and why bank account and credit card numbers are stored AND investigate if Certegy violated any Visa/PCI mandates.
This seems to be a reasonable question, especially in light of some of the more high profile data breaches, we’ve recently seen. However in this instance, since all it takes is one person (who has access) to compromise information, it probably wouldn’t have made much difference.
The reality is that Certegy sells the fact that they store a lot of information on people to merchants. Without this information, they wouldn’t have a service to sell.
Nonetheless, the statement does warrant consideration as to how well third party databases are protected, especially when they contain detailed personal and financial information?
I’m not sure why the data broker, who bought the information hasn’t been identified? They are responsible for buying and selling information all the time. Information is worth money and is being sold (some believe haphazardly) all the time.
Recently, it was disclosed that a data broker sold lists targeting elderly gamblers to sweepstakes (lottery) scammers. New York Times article, here.
Current laws enable financial institutions to sell your information, unless you go through a pretty complicated process of opting-out. They are required by law to notify you of your rights, but these are often sent out via snail mail and called “privacy notices.” I’ve often made the mistake of thinking they were junk mail and shredded them.
They don’t make it easy for the average person to protect their information.
I wonder how much personal information is sold to people that shouldn’t be getting it? Even if we manage to opt-out today, how much of our information is already stored on a database somewhere?
Since the people enabling information to be compromised are making billions of dollars by selling it — perhaps more of these lawsuits are one way to hold them accountable and bring some sanity to what is becoming a situation — which seems to get worse all the time?
Of course, more laws to protect consumers are needed, also!
As I stated earlier, this is going to be interesting. I don’t know where it will go, but maybe this is a signal to the people data mining our information to wake up and smell the coffee?
If they don’t, they might end up dealing with a lot of litigation, which is always very costly.
It also might put them out of business. Dark Reading did an article this week about another third party vendor Verus, who folded after it was disclosed that they lost a lot of people’s information from several hospitals. The point of compromise in this situation was the failure of some IT people to leave a firewall up when transferring information between servers.
Here are my two previous posts on the Certegy breach:
Certegy reveals their data breach is a lot larger than originally reported
12 users commented in " Class action law suit filed against Certegy for data breach "
Follow-up comment rss or Leave a Trackbackwhere can i get a copy of the summons and complaint filed against certegy
On August 01, 2007 I have received a letter stating that an employee of fidelity national were selling my data to broker without consent.I am now wanting to file a lawsuit against fis(fidelity national),please call me at (954)804-9254 and ask for Marlynn Denord.I need more information about this incident in order to take care of the matter.
i also received a letter about the fraud and would like to file a lawsuit against certegy for my information being sold please contact tina at 219-427-2499
I also received a letter about thhe fraud and would like to file a lawsuit against certegy for my personal information being sold please contact me as soon as you can give me information about this situation. Please contact me at 360-880-2252k
I also have received a letter in regards to this matter. Please contact me via e-mail.
Thank you,
I want to be sure I am speaking with the correct people and not another fraudulent act of deceit.
I too received a letter informing me that my personal information was sold by Certegy. I would appreciate any information or advice anyone has on what steps I must take in order to file a lawsuit against them.
I have received a letter as well and would like to be included in the lawsuit.
IAngela did receive a letter in the mail regarding this law suit I would like to be included in the law suit, lost address please let me know today is the deadline
I too received a letter stating that an employee at Certegy had sold my checking and personal information. I would like to know the status
I also sent in my information about lawsuit. I sent in my information and want to make sure I am included in the law suit. Please contact me via email or by phone 815-444-6539.
My old address was paradise@adacomp.net. I was also sent a letter about the lawsuit and would appreciate hearing how this came out after it went to court. I have not heard anything since then.
Judith
Good site for all your questions…
https://datasettlement.com/
Leave A Reply