Analysis: E-tailer credit card cover-up - California dreamin'?

A data breach at a retailer with UK online operations has highlighted the stark difference between the legal landscape here and in California - and how British consumers, retailers and financial services companies might be losing out.

In the UK retailers and financial services companies can keep details of such breaches secret from their customers, whereas in California a law has existed for almost three years meaning companies with operations or customers resident in that US state have to come clean about incidents of compromised, unencrypted personal data.

For more than two weeks silicon.com reporters, following feedback from dozens of readers, have been speaking to three constituencies to find out the source of the recent breach: credit card issuers, MasterCard and Visa, and, most importantly, UK e-tailers.

On Wednesday 26 April, this publication broke the news that 2,000 credit card holders, including some customers of the Clydesdale Bank, had been informed that their MasterCard credit cards were being replaced because of a security breach.

At that time, as we put in calls to find out what the exact problem was, we felt like it was the bad old days of secrecy about online fraud. We wrote this leader article, unsurprisingly entitled 'Had a security breach? 'Fess up'.

The next day we revealed that UK holders of MasterCard cards from Morgan Stanley, and its Goldfish credit card arm, had also been hit.

MasterCard wouldn't say whether the confirmed breach was linked to some high-profile incidents in the US. By this stage readers were telling us they had been told many more people had been affected but we were unable to confirm exact numbers - although it was clearly in the thousands.

By the next day, Friday 28 April, silicon.com moved the story on and pushed both MasterCard and Visa to release more details about the source of the data breach.

MasterCard used the phrase "a UK-based retailer" while Visa's statement spoke of "a UK-based online merchant".

Other publications over the May Day long weekend picked up on the story but details were still scarce for them, without co-operative readers providing feedback - as they were to silicon.com.

This publication spoke to the Information Commissioner's Office. A spokeswoman told us: "There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur."

Marc Dautlich, senior solicitor at law firm Olswang, said: "The bottom line is in the UK there is not a positive obligation to tell consumers about a breach."

By contrast, in California the Security Breach Information Act (Sbia) requires any company with a presence or customers in the state to notify customers if their unencrypted personal data could have been compromised. A number of instances have been covered since that Act came into force on 1 July 2003.

The federal Data Accountability and Trust Act (Data) now takes this type of legislation national in the US, though arguably it will prove to be less effective.

Emails and Reader Comments from silicon.com readers continued to pile in to our virtual mailbag.

We asked our CIO Jury what they thought on the subject of naming the e-tailer in question - they are all consumers, so we expected them to want openness but they all run operations that could in most cases be hit by such bad PR, so we expected some to be reticent. Yet even they came out 11 to one in favour of the affected organisation coming forward.

Ian Auger, IT director at ITN, said: "I think any reputable company would want to do so and I would like to think that people who were affected would be understanding, as long as the affected company could show that they had taken good precautions to protect the data."

One reader put it this way: "As one of those affected, I believe that if there is no doubt as to where the data originated then we should be made aware of that fact."

silicon.com reporters got back to all those who wrote in. We asked them who they had shopped online with using the credit cards that had now - with some inconvenience, in some cases - been cancelled.

Only one company appeared in common on all their lists. We spoke to that company several times a day for five days. The end result: they said that, to their knowledge, no breach had occurred from their business.

We were almost back to square one. Almost.

silicon.com is now casting its net to ask whether any of our readers affected by this breach - or people our readers know who have been affected - reside in California. If so, we believe the Sbia applies. (Drop us an email at editorial@silicon.com if we've just described you.)

We are also asking those affected to complain to their card issuer for refusing to disclose the e-tailer, saying that e-tailer has failed to provide adequate protection for their data - this is then the first step to making a complaint to the Information Commissioner's office, which would be more likely to investigate the incident after public demands to do so. (Again, drop us an email if you want a hand with this.)

Tony Hallett, editor of silicon.com, said: "We have to keep chasing this. It isn't simply a case of naming and shaming - even if that's what a lot of customers are telling us they want - it's about the right way to do business.

"It is still conceivable there is a reason to hold off coming forward but as the more enlightened tech experts have told us, not covering up this sort of thing is a better long-term approach."

Olswang's Dautlich added: "I think that this little-known Californian law has got a potential affect much bigger than people are thinking at the moment. It's definitely having a ripple effect."