TJX Data Breach -- 45 Million Cardholder Accounts -- Thieves Had Encryption Key

In the past few days, newspapers, TV and the internet have all been saturated with news about the TJX data breach. Most reports state that information about 45.7 million credit and debit cards was stolen. According to the Washington Post, approximately 75% of the cards had expired by the time of the theft or the data stolen did not include security information. In September 2003, TJX started "masking" much of the sensitive data, meaning that it was partially or completely overwritten with asterisks. In other words, card account numbers would have been stored as "**** **** **** 1234."

This information follows on reports earlier this week of the arrest of a number of people in Florida who were caught buying gift cards at Wal-Mart using stolen TJX card data and then using those gift cards at Sam's Club stores (an affiliate of Wal-Mart) to purchase electronics and jewelry. Police estimate the scam netted $8 million. These bad guys are not suspected of the TJX data theft but rather are thought to have obtained the stolen card numbers from the data thieves. They created new credit cards reflecting the stolen account numbers which they then used to buy gift cards at a number of Wal-Marts across Florida.

The information for most of the news reports comes from a 10-K report which TJX filed with the Securities and Exchange Commission on March 28, 2007. The most ominous, and to my knowledge, so far unreported factoid in the filing is this:

Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.

The 10-K also states that one reason TJX has had difficulty determining what data was stolen because many of the files in question have been deleted in the normal course of business.

TJX's filing lays out the time line for the discovery and reporting of the intrusion.

On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems. With the assistance of our investigation team, we immediately began to design and implement a plan to monitor and contain the ongoing Computer Intrusion, protect customer data and strengthen the security of our computer systems against the ongoing Computer Intrusion and possible future attacks.

On December 22, 2006, we notified law enforcement officials of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them. At that meeting, the U.S. Secret Service advised us that disclosure of the suspected Computer Intrusion might impede their criminal investigation and requested that we maintain the confidentiality of the suspected Computer Intrusion until law enforcement determined that disclosure would no longer compromise the investigation.

With the assent of law enforcement, on December 26 and December 27, 2006, we notified our contracting banks and credit and debit card and check processing companies of the suspected Computer Intrusion (we refer to credit and debit cards as “payment cards”). On December 27, 2006, we first determined that customer information had apparently been stolen from our computer systems in the Computer Intrusion. On January 3, 2007, we, together with the U.S. Secret Service, met with our contracting banks and payment card and check processing companies to discuss the Computer Intrusion.

Prior to the public release of information with respect to the Computer Intrusion, we provided information on the Computer Intrusion to the U.S. Federal Trade Commission, U.S. Securities & Exchange Commission, Royal Canadian Mounted Police and Canadian Federal Privacy Commissioner. Upon the public release, we also provided information to the Massachusetts and other state Attorneys General, California Office of Privacy Protection, various Canadian Provincial Privacy Commissioners, the U.K. Information Commissioner, and the Metropolitan Police in London, England.

In an (un)related matter, the TJX Board recently approved a $1 Billion stock buy-back. program.

California Supreme Court to Hear Miller v. Bank of America

The California Supreme Court has agreed to hear the appeal in Miller v Bank of America and decide the question: Does California law, which provides that a bank account into which public benefit funds or Social Security payments have been electronically deposited is exempt from attachment and execution, prohibit a bank from exercising its right to setoff as to charges - such as overdraft fees and insufficient fund fees - arising out of use of that same account?

The trial court applied Kruger v. Wells Fargo Bank (1974) 11 Cal.3d 352 (Kruger), a California Supreme Court decision which prohibited a bank from utilizing the banker’s setoff against public benefits to recover on an account holder’s delinquent but separate credit card account. The First Appellate District reversed, holding that the setoff to collect a debt owed the bank related to the account against which setoff is exercised is significantly different from Kruger in which the debt's origin was an unrelated account.

While the legal question at issue may at first glance appear to be somewhat technical and trivial, in reality, large sums of money and significant issues of public policy are at stake in this case. The First Appellate District explained:

When it ruled on summary judgment, the court also certified a plaintiff class consisting of “All California residents who have, have had or will have, at any time after August 13, 1994, a checking or savings deposit account with Bank of America into which payments of Social Security benefits or other public benefits are or have been directly deposited by the government or its agent.” In 2003, the Bank had 1,079,414 such accounts. Each month more than $800 million in government benefits is electronically deposited into class members’ accounts. Between January 1994 and May 2003, the Bank debited at least $284,211,273 in NSF and other overdraft fees from accounts containing Social Security direct deposits.

The trial court ordered Bank of America to pay compensatory damages and restitution of $296,650,220, an astonishingly large amount even for an entity like Bank of America. The appeals court reversed, however, finding a distinction between using setoff to satisfy a debt not tied to the operation of the account being debited (prohibited by Kruger) and the facts in Miller.

Collecting a debt unrelated to the bank account, such as a credit card debt, does not implicate the internal balancing of a single bank account. Neither Miller nor his various supporting amici curiae have cited, and we have not found, a single case that interprets Kruger to prohibit a bank from applying a deposit against a negative balance in a single bank account, or towards fees assessed because of that negative balance; indeed, the distinction between that practice and the banker’s setoff against an independent account that was of concern in Kruger was observed in a closely related context. In Lopez v. Washington Mut. Bank, FA (9th Cir. 2002) 302 F.3d 900, the Ninth Circuit concluded that federal law exempting Social Security benefits from seizure6 did not prohibit a bank from debiting a customer’s account for overdrafts and NSF fees. (Id. at pp. 902-906.)

The appellate court was also concerned that prohibiting banks from practicing standard setoff procedures on accounts receiving public benefits, would drive banks away from providing banking services to benefit recipients.

There was also considerable testimony that extending Kruger to internal account balancing practices would have adverse consequences not implicated in the context of a traditional banker’s setoff. Bank witnesses testified that prohibiting a bank from debiting an account for overdrafts, chargebacks and NSF fees when a customer account contains directly deposited public benefits will cause banks to substantially curtail the services available to such account holders. Consequences might include dishonoring any checks that would overdraw those accounts instead of offering overdraft protection; dishonoring other payment requests, such as automatic bill payments, that could overdraw the account; placing maximum holds on deposited funds; forbidding online or telephone banking; and canceling or restricting account holders’ use of ATM and debit cards.

The United States also weighed in on the issue. The Treasury Department expressed similar concerns on behalf of the federal government. According to the Treasury, the injunctive relief would likely cause banks to reduce the range of services available to recipients of government benefits in order to minimize the risk of overdrafts, or cause higher prices for such services, working a significant detriment on both the plaintiff class and the general public interest. Other approaches banks potentially could take to address the increased risk of loss from overdrafts would include requiring account holders to maintain a segregated balance of nonbenefit funds in their accounts or attempting to return direct deposits of benefits that are directed to overdrawn accounts and instead requiring deposit by check. These changes, the Treasury says, would undermine the federal government’s goals of affording recipients of public benefits the same consumer protections offered other account holders and encouraging financial institutions to offer electronic banking services, including direct deposit, to individuals who traditionally do not use banks. There is no indication that any such consequences were implicated in Kruger.

Miller's counsel, as one would expect, was described as "ebullient" and quoted as saying " I have confidence that in granting the petition [for review] it intends to reinforce the public policy rule it set forth in 1974."

Google Regisers as E-Money Issuer in EU

On March 19th, the UK Financial Services Authority authorized Google Payment Limited to issue electronic money in that country. With its UK registration, its fairly simple under European Union rules for Google to "passport" into other EU jurisdictions and be allowed to issue e-money across the continent. Under Paypal's UK registration, for example, it is authorized to passport into 24 other countries.

There's no official word from Google on its plans in the EU, but clearly, it has plans.

PayPal Not Worried About Competition from Google Checkout

Yesterday, CNET News ran an interview with PayPal's Chief Technology Officer Scott Thompson. There are several questions about phishing and security, but I thought the most interesting part was a question about competition from Google.

Can you comment on the competition you might be seeing from Google Checkout? Have you seen any loss of market share or revenue?
Thompson: Sure. The first thing I would say is payments are really hard to deal with. It's a business that is built around precision. There is no margin for error in anything associated with payments, and that's the relationship we have with both buyers and sellers on the eBay site and our customers and merchants on eBay. Beyond that I fully expect that because payments is such a big business, that all the competitors that we know of today are going to be there tomorrow, and there is probably going to be a whole lot more that people are dreaming of right now in start-ups in Silicon Valley and elsewhere.

So there is always going to be competition, and I actually love good competition. It raises your game to a higher level when you have good competition. So as it relates to Google Checkout, where as you would expect we are very aware of what they are doing, we don't think they are in a payment system business. We think they are specifically in a check-out business, and there is quite a bit difference between checkouts and payments. I would argue that we have such a lead in the business of global payments that if somebody wants to chase after us a little bit, I think they are going to realize it's hard to do, and I think they will fully appreciate and understand the head-start we have. Nobody here is overly confident, but I think what we need to do is have a strategy and focus on that and not on any competition.

In addition, we learn that micropayments are tough:

How big do you see the market for micropayments? It seems like you would have the infrastructure to do that more broadly. Are you seeing content owners like music or print publishers going in that direction?
Thompson: Micropayments is a remarkably big opportunity. I said doing payments is hard. Well, micropayments is extremely hard, and that is why nobody has cracked the code on it yet. It's just very, very tough to do. You probably recall 10 to 12 years ago the phone companies thought micropayments (would be a way to) extend their billing reach further into their customer set. But every phone company that tried that has realized that this is a whole lot harder than they thought, and they all backed off those initiatives. So, I think somebody at some point will come up with a real cute idea on this, and it will be one that changes the game. I think that's one where you stay tuned. It probably plays out two or three years from today

and PayPal currently has no plans to enter the world of online banking:

Is PayPal planning to move into online banking services?
Thompson: If you are PayPal, you can never say never. But I can tell you, we don't do online banking today. In the near term, we don't intend to do online banking. We have a rate payments business. We have tremendous future growth opportunities in the payment business that we are in. We are completely focused on that online payments business, and we view something like online banking as an adjacency that may be of interest some number of years from today. But now we are solely focused on online payments, and we don't want to be distracted.

China Bars Conversion of Virtual Currency into Material Products

A number of news outlets are reporting on a recent rules issued by the Chinese government limiting the use of virtual currency in that country. The best online explanation I've found is a story by Mure Dickie in the Financial Times.

A formal notice quietly issued to officials last month by the Communist party and government departments, including the central bank, has ordered “strict differentiation between virtual exchanges and online commerce in material products”.

The notice says: “The People's Bank of China will strengthen management of the virtual currencies used in online games and will stay on the lookout for any assault by such virtual currencies on the real economic and financial order.”

Virtual money can only be used to buy virtual products and services the companies provide themselves, issuance will be limited, and users are “strictly forbidden” from trading it into legal tender for a profit, says the notice.

The new restrictions appear to be a reaction to the growing popularity of a virtual money product known as "QQ Coins."

The restrictions follow Beijing’s growing concern about the influence of currencies created by internet companies, particularly the wildly popular "QQ Coins" issued by Hong Kong-listed messaging and games provider Tencent.

Tencent's messaging system is used by an estimated two-thirds of Chinese internet users and its QQ Coins have been accepted as payment by other companies as well as sold for legal tender.

It isn't clear what exactly is China's primary concern about virtual currencies. The AP says the worry is "money laundering or illicit trade." The Asia Times, however, has suggested that there is concern that the virtual currency could harm China's real currency.

The so-called "QQ" coin - issued by Tencent, China's largest instant-messaging service provider - has become so popular that the country's central bank is worried that it could affect the value of the yuan.

Public prosecutor Yang Tao issued this warning: "The QQ coin is challenging the status of the renminbi [yuan] as the only legitimate currency in China."

Some additional interesting tidbits on QQ coins from the Asia Times:

Tencent boasts more than 220 million users, and its QQ coins can be purchased with a bank, telephone or "QQ" card at an official price of 1 yuan (12.5 cents) per coin. Originally, the virtual coins were designed to pay for Tencent services such as electronic greeting cards, online games and anti-virus software. Now, however, they have reportedly developed into an alternative currency traded on the black market and used for other, less savory services, such as online gambling and private chats with "QQ girls".

Xinhua, China's official news agency, reports cases of people earning thousands of yuan per month trading in QQ coins, which they can win by playing online QQ games that pay out one coin for every 10,000 points earned. Xinhua also reports that the operators of some Internet forums are now paid in QQ coins rather than the official currency. And there is evidence that other online sites not associated with Tencent also accept QQ coins.

In addition, unofficial online vendors have sprung up to take advantage of QQ fever. They accumulate large numbers of coins by hiring professional game players to win them and also through gambling ploys, inside connections at entertainment companies and even by hacking into user accounts and simply stealing them. Then they sell the virtual currency below its official value, at a rate of 0.4-0.8 yuan per coin.

Tencent recently reported that its 2006 revenues were $358.6 million, an increase of 96% over the previous year. Net profit was $136 million, a whopping 119% jump over 2005. I can't find an official statement (at least one in English) on either the Tencent or QQ.com sites responding to the new rules on virtual currency.

I can't wait to see if other countries follow the Chinese example and attempt to limit the use of virtual currencies to purchase material goods. I don't see how such a rule could be successfully implemented without a corollary prohibiting the sale of virtual goods for real money. If you want to prevent financial transactions which are illegal in this world from taking place in a virtual world, you will have to severely limit the movement of money and goods between the two.

House ILC Hearings Postponed to March 29

UPDATED

The House Financial Services Committee hearings on the Industrial Bank Holding Company Act legislation have been postponed until March 29, 2007. A list of persons who will testify has finally been posted on the committee's web site, although no prepared statements are available.

The witnesses will be:

Panel One:

• The Honorable Donald L. Kohn, Vice Chairman Board of Governors of the Federal Reserve System
• The Honorable Shelia C. Bair, Chairman, Federal Deposit Insurance Corporation
• John E. Bowman, Chief Counsel, Office of Thrift Supervision
• Erik R. Sirri, Director, Market Regulation, Securities and Exchange Commission
• G. Edward Leary, Commissioner, Department of Financial Institutions, State of Utah

Panel Two:

• Michael J. Wilson, International Vice President Director, Legislative and Political Action Department, United Food and Commercial Workers International Union
• Mark Macomber President and CEO, Litchfield Bancorp, Litchfield, Connecticut, On behalf of America’s Community Bankers
• Jim Ghiglieri, President, Alpha Community Bank, Toluca, IL, On behalf of Independent Community Bankers of America
• Earl McVicker, Chairman & CEO, Central Bank & Trust Co., Hutchinson, KS, On behalf of American Bankers Association
• John L. Douglas, Alston & Bird LLP, Atlanta, GA, On behalf of American Financial Services Association
• Mr. Marc Lackritz, Co-CEO, Securities Industry and Financial Markets Association

The Folly of the New Presidential Dollar Coins

Today's Washington Post contains an interesting and amusing story questioning why the U.S. Mint is issuing new dollar coins when the world is moving away from cash to electronic forms of money.

Sit down in the handsome office of Edmund C. Moy, the director of the Mint. Ask him to comment on the quote attributed to Albert Einstein: "Insanity is doing the same thing over and over again, expecting different results."

Point out that the future of money is relentlessly shifting away from physical cash. Ask him if he has lost his blooming mind. The Congress made me do it, he replies.

Moy is referring to the Presidential Dollar Coin Act of 2005 which requires the mint to issue new dollar coins featuring the images of U.S. Presidents.

Post staff writer Joel Garreau reports that percentage of transactions made in cash versus check or debit or credit cards has declined from 21% in 2003 to an estimated 15.7% in 2008. Use of electronic payment methods, on the other hand, is expected to grow to 65% with checks taking the remaining share of the payments market.

Cash is increasingly reduced to three arenas, [cultural anthropologist Jack] Weatherford says. It is used for transactions performed by poor people -- "the unbanked population," as they are picturesquely known; anybody's small purchases -- like an ice cream cone; and for illicit activities like tax evasion, extramarital trysts and drug scores -- for which anonymity is at a premium.

Garreau notes that the transformation of money from cash to computers has occurred in a short span of time.

Computerized money produces the world we live in today. It may be hard to remember, but at the beginning of the 1990s, only 5 percent of grocery stores accepted credit cards. Now, you sign for your pomegranates. Similarly, travelers to distant lands no longer stock up on exotic cash. They are confident their money cards will meet their every need the instant they land, wherever that might be.

The next frontier is to delete even the plastic from our "plastic," says Tim Attinger, who describes himself as being in charge of ridding the United States of cash and checks. He is the senior vice president of product innovation and development for Visa USA. "I dream of a day when kids on the corner selling lemonade will take Visa payments," he says. "Not next year, but it can happen."

In Asia, it is already common to pay for things by simply waving your chip-equipped cellphone at a point-of-sale terminal, moving money with a beep as quickly as commuters sail through the Dulles Toll Road with an EZ Pass. Devices are being deployed in the United States that allow you to pay simply by pressing your fingertip to a scanner.

At that point, our bodies become our money.

His last line may be a bit too Orwellian, but his point is well taken.

And what about the initial question of why the government would start a long term dollar coin program when prior similar coins have failed and people are moving away from cash anyway? The answer is "seniorage."

Because it costs the Mint 20 cents to make the new dollar coin, and people pay a dollar for it, the margin on each one is 80 cents. If people proceed to squirrel the coin away, and not put it in circulation, this is wonderful. The government gets to keep that 80 cents forever.

The economics of minting coins may be a bit more complicated than that analysis, but it's true that the point of the new dollar coins, just like the 50 state quarters and Lewis and Clark nickels, is to make money off of coin collectors.

Frank Says ILC Legislation Still Necessary Even After Wal-Mart Withdrawal

Despite Wal-Mart's withdrawal of its application for an FDIC-insured ILC charter, Rep. Barney Frank, Chairman of the House Financial Services Committee, thinks federal legislation regarding Industrial Loan Corporations is still necessary. In a statement posted to the committee's website, Frank said:

I appreciate the constructive step by Wal-Mart not to pursue an ILC
charter, but it does not in my judgment, remove the need to legislate in this area.

In addition, the committee now lists the March 22, 2007 hearings on H.R. 698, the Industrial Bank Holding Company Act of 2007 on its website, although no information on witnesses is provided.

I wonder if Wal-Mart was invited.

Wal-Mart Withdraws Application for Bank Approval

Wal-Mart withdrew it's application for an Industrial Loan Charter today. The retailer issued the following press release:


BENTONVILLE, Ark., March 16 /PRNewswire-FirstCall/ -- Wal-MartFinancial Services President Jane Thompson released the following statement today: "We notified the FDIC today that Wal-Mart has withdrawn the application we made in July 2005 for an Industrial Loan Company (ILC) charter. "This action follows January's FDIC decision to extend the moratoriumon a number of pending ILC applications. "Unlike dozens of prior ILC applications, Wal-Mart's has been surrounded by manufactured controversy since it was submitted nearly twoyears ago. At no stage did we intend to use the ILC to establish branchbanking operations as critics have suggested -- we simply sought to reduce credit and debit card transaction costs. "Wal-Mart's financial services already save customers over $245 milliona year so they can live better. Since the approval process is now likely totake years rather than months, we decided to withdraw our application tobetter focus on other ways to serve customers. We fully intend to continueto introduce new products and services that champion those who deserveconvenient, lower priced financial services."

Philly FRB Examines "Cost Hurdles" to Increased Acceptance of Prepaid Cards

The Payment Card Center at the Federal Reserve Bank of Philadelphia has released a discussion paper entitled General-Use Prepaid Cards: The Path to Gaining Mainstream Acceptance. Authored by James C. McGrath, this though-provoking paper examines the prepaid card market, where it works, where it hasn't been as successful, and offers some ideas as to particular applications have fallen into the second category rather than the first.

Clearly, general-use prepaid cards show promise, both to reduce costs and inefficiencies in existing applications and to provide cost-effective and flexible financial service alternatives to a large market of underserved consumers. At the same time, they face some unique challenges that must be addressed as the product matures. Some of these challenges stem from the newness of the product: Consumer protections and regulatory oversight remain in the early stages. Other gaps pertain more to the business model. For example, while prepaid cards may provide attractive options to many paper-based applications, many programs are themselves quite complex and costly and require operational and technological sophistication. Last, some functional limitations need to be addressed in order to improve usability and spur adoption.

The paper will address these challenges in turn. First, it will note the perceived vulnerability of prepaid cards to money laundering and will discuss other relevant regulatory issues. It then examines the profit function within the business model, looking at factors affecting costs and revenues. Finally, it addresses two issues that may accelerate consumer adoption: payroll card portability and improved and extended reloadability options. Generally, the paper finds that initiatives are already underway or that others likely to be implemented will address many of these challenges. Doing so should strengthen the value propositions underlying a number of the product applications discussed and lay the groundwork for future prepaid innovations.

This paper follows on a paper released by the PCC last month which examined money laundering risks associated with prepaid cards: Prepaid Cards: Vulnerable to Money Laundering?

Ohio Rep. to Reveal Secret -- Wal-Mart Wants a Bank

Today's New York Times reports that Rep. Paul Gillmor (R-OH) is planning to release information which reveals Wal-Mart has a grand plan to begin providing financial services to the public. Well, kinda sorta. What he has is a copy of undated email which suggests that Wal-Mart was revising leases with tenants that are banks to reserve the right to offer financial services itself.

In an interview last night, Mr. Gillmor said the Wal-Mart was including a clause in some tenant leases that would allow the company to some day expand its banking operations. Wal-Mart currently offers branded credit cards, check cashing and other services through partnerships with financials [sic] institutions.

The retailer claims that nothing nefarious is going on.

A Wal-Mart spokeswoman confirmed last night that the company had updated some of its tenant leases late last year to include the language in question but implied that it had been an option all along.

“There is nothing new here,” the spokeswoman, Mona Williams, said. “While we recently updated language in our leases, similar language has been in our agreements for at least five years.”

Gillmor's bombshell comes before next week's hearings before the House Financial Services Committee on the subject of corporate ownership of Industrial Loan Corporations. Emoolaw reported on those hearings earlier this week. Unfortunately, there's still no witness list posted on the committee's web page, so we don't know what exactly what subjects those hearings will cover.

There are valid safety and soundness reasons for keeping general commercial firms out of the business of banking. But dozens of big corporations already own ILCs and have been approved for FDIC insurance. There are perfectly legitimate reasons for a retailer like Wal-Mart to want to own an FDIC insured ILC -- most notably, the ability to "acquire" credit card transactions on its own. Retailers currently pay banks a hefty fee for access to the credit card networks, even though the bank often just turns the business over to a processor. By being its own bank, a retailer can significantly reduce the cost of accepting credit cards. It's unclear to me why Wal-Mart should be denied that business opportunity while many other big corporations get direct access to this important payment mechanism.

The hearings next week should focus on the legal and economic issues and avoid the drama of psuedo-spectacular revelations like Gillmor's email. The policy discussion here should be about access to payment systems, supervision of financial institutions and the modern definition of "the business of banking." Let's hope that House members can avoid the "Is Wal-Mart Good or Evil" debate.

Sen. Chris Dodd Suggests Legislation Necessary to Curb Credit Card Abuses

In a speech on Tuesday to the National League of Cities, Senator Chris Dodd (D-CT) suggested that legislation would be necessary to curb abuses of credit card issuers.

I'm a strong advocate of credit cards; don't misunderstand me. But the abuse by the financial institutions in making it impossible for people to get out from underneath these financial problems is causing us serious, serious problems. We've already had hearings on this, and my hope is that we'll pass legislation that'll prohibit some of the practices that have made it so difficult for people to manage their financial affairs in a more solid and safe way.

It will be interesting to see what action Dodd takes on this issue in the Senate.

Rep. Frank to Hold Hearings on ILCs

The American Banker reported on Monday that the Rep. Barney Frank (D-MA), chairman of the House Financial Services Committee, will hold hearings on March 22 on whether to close "the loophole" that allows general commercial firms to own a type of financial institution known as an Industrial Loan Corporation. At the time of this writing, there is no mention of the hearings on the Committee's website.

Frank and Rep. Paul Gilmour (R-OH) have introduced the Industrial Bank Holding Company Act of 2007 (H.R. 698) which would put an end to the practice. Frank and Gilmour proposed similar legislation in the prior Congress, but the issue has taken on new steam with the recent application by Wal-Mart to purchase an ILC. That request prompted the FDIC to extend a moratorium on applications by ILCs for deposit insurance. In explaining its actions, the FDIC noted:

In 2006, the FDIC received more than 13,800 comment letters regarding the proposed Wal-Mart Bank’s 2005 deposit insurance application. Most of these comments expressed opposition to granting deposit insurance with respect to this particular applicant; however, some commenters raised more universal concerns about industrial banks. Over 640 of the more general comments were specifically focused on the risk posed to the deposit insurance fund by industrial banks owned by commercial companies or by holding companies without a Federal consolidated bank supervisor.

For its part, Wal-Mart has expressed an interest in owning an ILC in order to provide cheaper and more convenient financial services to its customers. Business Week covered the story well when Wal-Mart first expressed interest in entering the banking world back in 2005.

Kmart Settles with FTC Over Gift Card Practices

The Federal Trade Commission announced yesterday that it had entered into a consent order with Kmart regarding certain of the retailer's practices regarding its gift card program. This is the FTC's first law enforcement action concerning gift cards.

The FTC alleged that Kmart failed to disclose a dormancy fee it charged holders of its gift card. After 24 months of nonuse, Kmart levied a $2.10 per month service fee for each inactive month, retroactive to the issuance of the card. That means if you didn't spend your card in 2 years, Kmart would "zap" $50.40 from the balance of the card. This retroactive dormancy fee was often not disclosed before purchase, or was explained in tiny type or in text obscured by packaging. In addition, Kmart advertised that their gift cards function like cash and "never expire."

Under the consent decree, Kmart agrees to clearly and prominently disclose expiration dates and fees associated with its gift cards. In addition, Kmart will not attempt to collect dormancy fees on any cards issued prior to the consent order and will create a mechanism by which consumers who were charge such fees make seek reimbursement. The consent order does not constitute an admission of guilt by Kmart.

The consent decree was approved by the Commission on a 5-0 vote. Commissioners Harbour and Leibowitz, however, wrote separately stating their opinion that the order does not go far enough and that Kmart should be required to disgorge profits it made collecting the dormancy fees.

The FTC will accept public comments on the consent order through April 10, 2007 after which it will decide whether to make the order final.

The Key to Mobile Payment Success -- Failing Fast

The barage of news on mobile payment initiatives is almost overwhelming. The Wall Street Journal tells us that "Mobile Banking Shifts into High Gear" while Paymentnew.com delves into Visa's Mobile Platform Initiative. Every day brings another announcement:

• McDonalds will now take mobile payments in Japan through DoCoMo
• Near Field Communications will make mobile payments viable
  
• Cyphermint introduces its PayCash Mobile wallet
• Discover pilots mobile payments with Motorola
• Citi and Obopay team to test mobile person-to-person payment system
• Elan (a unit of U.S. Bancorp) and Sapphire Mobile Systems partner to offer mobile payments
• MasterCard will pilot a global payment system that will use mobile phone technology

Amongst all the hype, I finally found a nugget of wisdom to help make sense of all of this -- and from a Canadian publication nonetheless. The February 2007 issue of ITWorldCanada (now my favorite maple leaf tech journal) reports on a speech by W. Roy Dunbar, MasterCard's president of global technology and operations, ar the Card Forum & Expo in May 2006:

Dunbar says MasterCard has plenty of good ideas; the question is knowing which ones to pick. Dunbar joined MasterCard two years ago after more than a decade at Eli Lilly. One of the main concepts he brought with him from the pharmaceutical industry was the idea of failing fast -- that is, testing ideas quickly and discarding them if they don't work. In this way, one can accelerate the process of finding ideas that do work.

I like the idea of "failing fast." You can make a lot of jokes about the concept, but it does appear to describe what sucessful technology companies do well and what large financial service providers do poorly.

2007 Mobile Financial Services Study

Edgar, Dunn & Company and Mobile Payments World have released their 2007 Mobile Financial Services Study which investigates mobile banking and mobile payments. The study is based on a survey of approximately 500 "thought leaders in mobile payments and financial services from around the world" (which means subscribers to the sponsors' publications).

When asked "which participants in the Mobile Payments value chain will be the most critical to the achievement of critical mass?" 70% of respondents said "merchants" and 65% said "consumers" with smaller numbers citing mobile carriers, financial institutions and handset manufacturers.

Respondents felt there was currently no "killer app" in mobile payments, but thought that transportation, micropayments and mobile wallets had the potential to achieve that status.

In terms of time frame, 60% felt mobile payment adoption would be "gradual" while 40% thought it would be "rapid."

Frequent Errors In FBI's Secret Requests for Financial Records

Yikes. From today's Washington Post.

Frequent Errors In FBI's Secret Records Requests
Audit Finds Possible Rule Violations
By John Solomon and Barton Gellman
Washington Post Staff Writers
Friday, March 9, 2007; A01

A Justice Department investigation has found pervasive errors in the FBI's use of its power to secretly demand telephone, e-mail and financial records in national security cases, officials with access to the report said yesterday.

The inspector general's audit found 22 possible breaches of internal FBI and Justice Department regulations -- some of which were potential violations of law -- in a sampling of 293 "national security letters." The letters were used by the FBI to obtain the personal records of U.S. residents or visitors between 2003 and 2005. The FBI identified 26 potential violations in other cases.

Officials said they could not be sure of the scope of the violations but suggested they could be more widespread, though not deliberate. In nearly a quarter of the case files Inspector General Glenn A. Fine reviewed, he found previously unreported potential violations.

The use of national security letters has grown exponentially since the Sept. 11, 2001, attacks. In 2005 alone, the audit found, the FBI issued more than 19,000 such letters, amounting to 47,000 separate requests for information.

Read the complete article.

Moola Zoola Criminal Trial Postponed (Again)

Federal District Court Judge Michael H. Schneider has again postponed the trial of Robert Arbuckle, who is accused of using his prepaid debit card company Moola Zoola to commit fraud and launder money. The trial had been scheduled to start last fall and then was rescheduled for March 19th. At the request of both the prosecution and defense, the court has set a new deadline of April 30, 2007 for the parties to reach a plea agreement; otherwise, trial will begin on June 4th. The fact that both sides asked for the extra time suggests that they're trying to work out a deal.

Prosecutors allege that Arbuckle issued Moola Zoola debit cards funded with money acquired through a PayPal scam. Money was moved from Moola Zoola account to Moola Zoola account in order to hide the origin of the funds. Ultimately the money was withdrawn from ATMs in the U.S. and Russia.

The case appears to be the first prosecution of money laundering involving debit cards.

Some Fees are More Equal Than Others -- Senate Investigates Credit Cards

U.S. Senate Committee on Homeland Security and Governmental Affairs, Permanent Subcommittee on Investigations held hearings yesterday on the topic "Credit Card Practices: Fees, Interest Rates, and Grace Periods."

Prepared statements from Chairman Carl Levin (D-MI) and ranking minority member Norm Coleman (R-MN) are posted as well as the testimony from the head honchos of Bank of America, Citibank and Chase. The bankers' prepared remarks are pretty standard and pretty boring. Their unscripted remarks, according to news reports, were more forth coming, with the bankers apologizing for most abusive practices and promising to mend their ways.

Much more interesting is the report of Alys Cohen, Staff Attorney at the National Consumer Law Center. The NCLC has documented a number of real world examples which show how bank junk fees, penalty rates, universal default and late payment triggers constitute unfair and abusive practices. For us lawyers, there are lots of good case cites and quotes. My favorite has to be from Perry v. FleetBoston Financial Corp. The court described a bank's ability to change the rules at will as placing consumers in "an Orwellian nightmare, trapped in agreements that can be amended unilaterally in ways they never envisioned." This court went on to
say that it was

reminded of George Orwell's 1946 work, Animal Farm, in which the pigs assume power and change the terms of the animals' social contract, reducing the original Seven Commandments, which included ‘All animals are equal,’ to one—‘All animals are equal, but some animals are more equal than others.’

The incomprehensible nature of credit card disclosures was also challenged. Senator Coleman stated:

After wading through that morass, it should come as no surprise to learn that the Government Accountability Office recently reported that disclosures are sometimes written at a “twenty-seventh-grade level.” I can only assume that one would need – after twelve years of grade school and four years of college – a 4-year medical degree, a 5-year PhD, and a 2-year MBA to fully grasp those particular provisions.

Just don't fund that education on your credit card!

Protecting Banks from Retailers' Data Breaches

State Representative Michael Costello has introduced a bill in the Massachusetts legislature which would make retailers whose information systems are compromised reimburse banks for costs associated with cancelling and reissuing customers' accounts and credit cards. House Bill 213 would make a commercial entity which suffers a data breach liable to a bank for the "costs of reasonable actions undertaken by the bank on behalf of customers of the bank as a direct result of an actual breach of data security...." Types of costs covered include:

• cancelling and reissuing a credit card
• closing accounts and blocking transactions
• opening of new accounts
• refunding unauthorized transactions
  

Retailers would argue that they already pay for credit card fraud in the high interchange fees that the card associations assess on every transaction. In addition, the card associations can (but rarely do) fine merchants who don't follow security procedures.

The Wall Street Journal reports that similar legislation at the federal level is possible:

Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, said yesterday that he believes Congress also will pursue data-security legislation that would require the entity responsible for a breach to bear the costs incurred from customer notification and card reissuance. He also favors a "national trigger" for notification about such a breach.

Rep. Frank wrote to Visa and MasterCard in February 2006 complaining that the responsibility for notifying consumers that their financial information may have been compromised fell to banks rather than the retailers who lost the confidential data.

OTS Releases Guidance on Gift Cards

The Office of Thrift Supervision (OTS) issued guidance on Friday to thrifts that offer gift card programs. According to the OTS press release, approximately 20% of the institutions it regulates issue gift cards in some form. The guidance covers both open-loop or branded cards (e.g., Visa, MasterCard, American Express) as well as closed-loop cards which are typically limited to a single merchant. The OTS document doesn't say much of anything new or helpful, but it does summarize the current state of things. Federal savings associations should follow applicable federal rules, including:

• OTS's advertising rule
• OTS's nondiscrimination rule
• Federal Trade Commission prohibitions on unfair or deceptive trade practices
• Bank Secrecy Act regulations
• USA PATRIOT Act
• OTS's Funds Transfer Rule
• OTS's Electronic Operations Rule
  

As to the $64,000 question -- what's an appropriate anti-money laundering program under the BSA or an appropriate customer identification program under the PATRIOT Act -- there's not much help. Follow risk-based internal controls for an institution of your size and type of business.

The guidance does reiterate the conclusion of an OTS legal opinion from last summer that federal law preempts many state law restrictions on gift cards issued by federal savings associations.

And be sure to check out the OTS's new Consumer Fact Sheet: Buying, Giving, and Using Gift Cards. They went all out on the graphics.

FinCEN Gets New Director

James H. Freis was named the new Director of the Financial Crimes Enforcement Network (FinCEN). FinCEN is the bureau within the Treasury Department which administers the Bank Secrecy Act (BSA). The BSA requires financial institutions and certain other financial service providers to report on certain financial transactions. The data is used by regulatory and intelligence agencies.

Feds Charge Stop & Shop Thieves with Identity Theft

Four California men were arrested on Monday after being caught in the act of modifying a PIN pad at a Stop & Shop store. They were formally arraigned on multiple felony charges in state court. On Wednesday, Federal prosecutors filed a criminal complaint against the men charging aggravated identity theft and conspiracy to traffic in fraudulent access devices. The dollar amount of the fraud is not precisely known at this time, but media reports suggest it’s at least $100,000 and will continue to grow as the investigation proceeds.

Read the AP story in BusinessWeek

Emoolaw posts discussed the discovery of the modified PIN pads and also the arrests of the bad guys.

CFSI Study on PrePaid Cardholder Spending Patterns

The Center for Financial Services Innovation and the Federal Reserve Banks of New York and Chicago released a new study entitled “Cardholder Use of General Spending Prepaid Cards: A Closer Look at the Market.”

The study gathered data from 4 card providers on approximately 2000 card holders. Some of the conclusions the researchers reached include:

1. Card holders spend almost all of the funds loaded on to a card each month
2. Point-of-Sale (POS) transactions significantly outnumber ATM transactions and card holders typically spend most of their money via POS
3. Fee structures and amounts, which had been quite variable, have become more consistent.
   

The paper also discusses which features (rewards programs, credit building, savings features) cardholders find most desirable.

The detailed statistical analysis combined with insightful analysis is a must read. To whet your appetite, I've borrowed a couple of interesting charts:

Four Arrested in Stop & Shop Data Thefts

The Associated Press reports that 4 California men have been arrested and charged in a scheme to steal card numbers and PINs. They were caught trying to remove a PIN pad in a Stop & Shop store in Coventry, R.I. and are the prime suspects in a series of similar tamperings which we reported on last week.

After discovering compromised devices earlier this month, the store bolted down the keypads in all of the stores and that precaution thwarted the thieves this time. A store security officer saw the men messing with the PIN pad and called the police.

The lesson for other merchants -- consider adding bolts to your data security plan.

EU Parliment Says Central Bank Should "Swiftly" Address Data Protection

The European Parliament has adopted a resolution which admonishes the European Central Bank (ECB) for failing to enforce EU privacy laws against SWIFT (the Society for Worldwide Interbank Financial Telecommunication ) which provided data on financial transactions to U.S. law enforcement. SWIFT is a cooperative of European banks and financial service companies which provides automated systems that enable members to transfer money between and amongst themselves. On a daily basis, SWIFT handles millions of transactions -- many of them cross-border -- totalling trillions of dollars.

The story begins in June 2006 when the New York Times reported that as a part of on-going terrorism investigations, U.S. law enforcement had requested and received from SWIFT access to information on millions and millions of funds transfers made through the messaging system. SWIFT has some operations in the U.S., including a data center with a mirror of all of the transaction data. When American law enforcement served a subpoena on SWIFT seeking access to data in the U.S, SWIFT felt legally obligated to comply. SWIFT explains its actions this way:

SWIFT negotiated with the [U.S. Treasury] over the scope and oversight of the subpoenas. Through this process, it received extraordinary protections and assurances as to the purpose, confidentiality, oversight and control of the limited sets of data produced under the subpoenas. These protections go well beyond and are more stringent than SWIFT’s legal obligations.

Despite the limitations placed on the surveillance effort, the program was heavily criticized, especially in Europe and numerous investigations ensued. Because SWIFT is based in Brussels, the Belgian Privacy Commission looked into the matter and reported its findings. The Belgian report provides the best description of what exactly US officials asked for and how SWIFT responded. The Commission concluded that SWIFT should have informed European authorities of the American subpoenas before complying.

As far as the communication of personal data to the [U.S. Treasury] is concerned, the Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas.

SWIFT, however, strongly disagreed with the Commission's conclusions. The Commission categorized SWIFT as a "data controller" while the group viewed itself merely as a "data processor." SWIFT felt the Commission had misunderstood its role in the financial transactions it facilitates and consequently placed greater obligations upon it than the law requires.

The European Parliament also conducted an investigation. The Committee on Civil Liberties, Justice and Home Affairs held a joint hearing with the Committee on Economic and Monetary Affairs on October 4, 2006 on the interception of bank transfer data from SWIFT by US intelligence agencies. In January, Members posed additional questions to the EU Commission and to the EU Council regarding their knowledge of and response to the matter. The interrogatory posed to the Council pointedly asks: "Why have the Council and the Member States been passive in an affair where their citizens' data have not been protected and where there is a suspicion of business espionage?"

On November 22, Parliament's Working Party on the Protection of Individuals With Regard to the Processing of Personal Data (often referred to as the Article 29 Working Party or WP29) issued a opinion which concluded that the provision of bank transfer data by SWIFT to US authorities violated portions of the EU Data Protection Directive. WP29 agreed with the Belgian Commission that SWIFT should be categorized as a data controller with greater obligations with regard to privacy.

The European Central Bank responded to Parliament in a January 30, 2007 letter setting out its views of the issues. The Central Bank noted that there is no viable alternative to SWIFT for many transactions. With regard to the use of SWIFT services, the ECB said it would seek the consent of individual counterparts in payment transactions before providing their information to SWIFT. In response to suggestions that it take responsibility for ensuring that SWIFT is in compliance with EU data protection rules, the ECB firmly stated that such oversight is outside of its legal authority.

On February 1, 2007, Peter Hustinx, the European Data Protection Supervisor issued an opinion stating that the European Central Bank, as a user and overseer of SWIFT as well as a policy maker, should have exercised appropriate control and supervision over the service. The EDPS requested that the ECB

urgently explore and promote appropriate solutions in order to clearly bring compliance with data protection rules within the scope of the oversight - to the extent in which lack of compliance may affect financial stability and without prejudice to the competences of relevant national or European data protection authorities - as well as to ensure that rules on confidentiality would not prevent relevant authorities from being duly and timely informed where necessary. This would ensure that on future occasions proper data protection safeguards are taken and that the current lack of transparency is avoided.

The opinion continues:

Furthermore, the EDPS stresses that it would not be acceptable that the architecture of the European payment systems would continue to allow and facilitate that personal data relating to any euro payment between Member States are transferred to third countries in breach of the data protection legislation and made available - routinely, massively, and without appropriate guarantees - to third countries authorities. Therefore, the EDPS calls on the ECB, in cooperation with other central banks and financial institutions, to ensure that European payment systems, and in particular the TARGET systems, are fully compliant with European data protection law.

According to The Register, the EDPS can take punitive action against the ECB, but its options are fairly limited. It could bar the central bank from using SWIFT to make payments, but given that there is no alternative for making international payments, that possibility seems remote.

Which brings us back to the European Parliament's resolution on the SWIFT controversy and, more specifically, on the ECB's role in policing data protection in the payment system. The resolution endorses the Hustinx opinion and calls on the ECB to take the following actions:

• as SWIFT overseer, to explore solutions in order to ensure compliance with data protection rules and to ensure that rules on confidentiality do not prevent information from being supplied in good time to the relevant authorities;
• as user of the SWIFT Net-FIN, to explore solutions to bring its payment operations into compliance with data protection legislation, and to prepare a report on the measures taken no later than April 2007;
• as policymaker, to ensure, in cooperation with central banks and financial institutions, that European payment systems, including the updated 'TARGET2' system for wholesale payments, fully comply with EC data protection law; calls for the ECB to provide the Parliament with the assessment of such compliance.

The ECB is supposed to issue a report in April which will presumably address Parliament's concerns.

Senate Schedules Hearings on Abusive Credit Card Practices

The American Banker reports today that Sen. Carl Levin (D-MI) has scheduled another set of hearings into credit card company abuses for
March 7, 2007. No information on witnesses is available at this time.

Levin in chairman of the Senate Permanent Subcommittee on Investigations which has focused on consumer protection in the credit card industry before. Back in 2004, the PSI looked into the topic of abusive practices in credit counseling.

Last year, Levin asked the Government Accountability Office to study and report on credit card rates and fees, how they have evolved over time, whether they are properly disclosed to consumers, whether increased fees have led to more bankruptcies and finally, how much profit the issuers were making from these fees. In September 2006, GAO issued its report which is full of interesting statistics and charts. Its conclusions in a nutshell: rates and fees are more complex; hard to tell what effect it has had on bankruptcies; notices could be improved; and, while fees are up, card issuers are no more profitable.

UPDATE

The Subcommitte has announced details of the hearings. The hearing will focus on how issuers apply interest rates and fees to credit card accounts. Witnessess from the three largest card issuers: Bank of America, JPMorgan Chase and Citibank.

Stop and Shop PIN Pad Rigging Similar to Canadian Cases

Digital Transactions reports that the Stop and Shop data breach disclosed recently appears similar to a series of Canadian crimes that took place last year. In both cases, PIN pads were modified to capture card and PIN information.

Last summer, Canadian police arrested at least 10 people they said used rigged card terminals to intercept PINs as cardholders entered them at the point of sale as part of a scheme in which they stole $4 million (Canadian) from 18,000 customer bank accounts (Digital Transactions News, June 21, 2006). In what press accounts called one of the most technologically sophisticated cases of debit card fraud yet discovered, the suspects swapped their own card readers for those installed in some 42 retail locations in the Montreal area, then used Wi-Fi connections to send PINs and card numbers to a remote receiver. With that information, they were able to forge cards and loot the associated accounts through ATM withdrawals. Similar cases of tampering cropped up in other Canadian cities last year, as well.

What liability Stop and Shop may have to customers who are harmed by the data breach will turn in part on whether the company took appropriate security measures to protect the PIN pads. Digital Transaction also reports that the security standards for some PIN pads changed at the beginning of the year.

The perpetrators may have exploited an inspection loophole in point-of-sale systems that was closed in the recent update of the Payment Card Industry (PCI) data security standards promulgated by the leading payment-card networks. Under the old PCI standards, POS equipment that did not run on an Internet Protocol (IP) operating system did not require an assessment for PCI compliance, says Scott Laliberte, IT risk group director at Protiviti Inc., a Chicago-based security firm and PCI auditor.

If Stop and Shop's PIN pads did not run on IP, then it will be more difficult for potential plaintiffs to argue that the stores were not in compliance with industry security standards.

Pew Research Center: What Americans Pay For -- and How

The Pew Research Center just released the results of a survey it conducted last Fall regarding what kind of expenses people are paying for and how they make those payments. They spoke with 2000 people by telephone and asked them about their daily purchases and monthly bills, whether they used cash or checks or cards, whether they followed a budget and if they had ever experienced debt problems. The results are quite fascinating.

To pay for everyday purchases, people use: Cash 37%, Debit 31%, Credit 16%, Checks 15%
For monthly bill paying, people use: Checks 54%, Online 28%, Cash 15%

Debit card use was higher among younger people whereas checks were more popular with the over 65 crowd. 18-29 year-olds rely primarily on cash (52%) for everyday living expenses.

I've excerpted two of the numerous charts from the report:

BoA, VISA Sued for Patent Infringement by Every Penny Counts

Bank of American and VISA were recently sued by Every Penny Counts, Inc. which alleges that BoA's "Keep the Change" program infringes upon its 1995 patent for a "Method and system to create and distribute excess funds from consumer spending transactions." When a participant in "Keep the Change" makes a purchase with his or her debit card, the Bank "rounds up" the amount deducted from the card holder's account to the nearest dollar and then puts that extra change into a savings account. In the UK, the idea has been copied by Lloyds TSB.

Last summer, BusinessWeekOnline did a big write up on how BoA, wanting to bring in new accounts, hired "an innovation and design research firm" to "conduct ethnographic research on boomer-age women with children." Women with children apparently have a tendency to round off entries in their checkbooks to an even amount, and they have a hard time saving money. Taking this important information, BoA

put together a team of product managers, finance experts, software engineers, and operations gurus and held 20 brainstorming sessions. The team generated 80 product concepts, boiled them down to 12, and overwhelmingly favored one: rounding up the financial transactions of consumers and transferring the difference to their savings.

The final little twist to this story is that at least one report in the blogosphere suggests that BoA filed for a patent on the "Keep the Change" idea itself.

Stop & Shop Data Breach -- POS Devices Tampered With

The Boston Globe reports that point-of-sale (POS) devices at several Stop & Shop locations in Rhode Island and Massachusetts were tampered with allowing thieves to steal credit and debit card information and PIN numbers. Stop & Shop issued a public letter to its customers about the incident and published Frequently Asked Questions on its website. While the Stop & Shop FAQs state that "no fraudulent transactions relating to debit or credit cards used at these store locations have been reported to Stop & Shop," the Boston Globe story says that a "bank notified Quincy, Mass.-based Stop & Shop this week that illegal purchases were made."

So far, no information on the make or model of the POS devices or how they were tampered with. If litigation ensues, one wonders if the hardware manufacturer will brought into the fight.

TJX Class Action Lawsuits

At this point in time, there are 5 class action lawsuits filed against TJX and, in some cases, its acquiring bank Fifth Third. Four of the cases attempt to assert claims on behalf of all individuals whose personal information was compromised by TJX. The fifth case (Amerifirst) asserts claims on behalf of all financial institutions which issued credit and/or debit cards that were compromised by the TJX data breach. The cases are summarized in the chart below.

Plaintiff(s)	Defendant(s)	Court	CA number	Filed
Wood,Willoughby	TJX, Fifth Third	N.D.Ala.	07-cv-00147 (RDP)	01-19-07
Miranda, Farley, Jenkins	TJX, Fifth Third	D.P.R.	07-cv-01075 (FAB)	01-26-07
Mace	TJX	D.Mass.	07-cv-10162 (WGY)	01-29-07
Amerifirst Bank	TJX, TJ Maxx, Fifth Third	D.Mass.	07-cv-10169 (JLT)	01-29-07
Gaydos	TJX, Fifth Third	D.Mass.	07-ca-10215 (WGY)	02-05-07

For some reason, not all of the columns in the chart are viewable on the blog. You can view the entire chart here.

I'll post the complaints as well as an analysis of each case in the next few days.

The Economist Announces the End of the Cash Era

The cover of the February 17-23, 2007 issue of the The Economist announces "the end of the cash era" with a cute graphic of dinosaurs made of coins and bills. In an editorial, the magazine acknowledges that the trend of electronic payments replacing cash transactions is unstoppable, but urges that payment systems be designed to preserve anonymity. A second article explores new technology for making payments by smart card and mobile phone. Interesting details on new products in Europe and Asia. The article focuses mostly on technology, but the last few paragraphs address the primary business issue -- who is going to control (and make money) from these transactions: banks, card associations, wireless companies. The editorial is available on-line but requires a subscription.

The article is available for free.

Identity Theft is Down. Who Knew?

Last week Javelin issued a study on identity theft it conducted for Wells Fargo, VISA and Checkfree. They found the number of people reporting they have been victims of identity theft has gone down in recent years. Javelin calculated the number of cases of fraudulent use of personal data (such as credit card numbers or social security numbers) per year as follows:

• 10.1 million cases in 2003
• 8.9 million cases in 2005
• 8.4 million cases in 2006

Their conclusions are based on data gathered by a telephone survey. It will be interesting to see whether the TJX incident has any effect on this trend.

Massachusetts AG to Lead 30 State Probe Into TJX Data Breach

Massachusetts Attorney General Martha Coakley announced her office will lead a multi-state civil investigation into the recent data breach at TJX Companies, parent to TJMaxx, Marshalls, HomeGoods and a number of other well known retail chains. Coakley has asserted control of the investigation because TJX is based in Framingham, MA. Eweek.com reports that 30 other states have joined the probe.

The Massachusetts Bankers Association reports that thieves have made fraudulent use of credit and debit card information from the TJX incident in Florida, Georgia and Louisiana, as well as in Hong Kong and Sweden. Nearly 60 banks in Massachusetts have been contacted by the card associations and told that information about their card holders was disclosed. Banks are notifying their customers and in many cases are reissuing cards.

The fact that card holders and banks are (allegedly) able to trace particular fraudulent transactions back to a particular data breach by a particular corporation means the TJX matter is going to be very significant. It is the first big case in which people harmed by a data breach will be able to identify and then, of course, sue the company responsible for the disclosure of their personal information. Will there be class action lawsuits? Oh, please! Half a dozen have already been filed and my guess is that's just the start. More info on the class action litigation in a future post.

A Confusing, Convoluted Victory for DataTreasury

DataTreasury Corp. scored a victory of sorts before the U.S. Court of Appeals for the Federal Circuit, announcing today that the appellate court affirmed a lower court's ruling dismissing DataTreasury's patent infringement case against Electronic Data Systems Corp. (EDS). That's right -- the court dismissed DataTreasury's suit against EDS and DataTreasury counts that as a victory. Here's why:

DataTreasury holds several patents which purport to cover the process of storing and sharing images of checks over the internet. The company claims that its patents are integral to the implementation of Check 21 -- the recently enacted law which allows banks to clear checks by sending images of the documents to each other rather than the paper itself. DataTreasury has made quite a name for itself by suing lots of banks and financial service providers for patent infringement. JPMorgan Chase, Citibank, Bank One, Wells Fargo, Zions, First Data, RDM, NetDeposit and, of course, EDS have all received a summons from DataTreasury. Even more surprising than the fact that this little company would take on the big dogs is how successful its strategy has been. Many of the defendants, including the normally ferocious rottweiler JPMorgan Chase, have settled with DataTreasury and even more corporations have lined up to pay licensing fees in order to avoid litigation.

So what explains DataTreasury's jubilation at having its case against EDS thrown out? You need to know one other fact. DataTreasury actually had two lawsuits against EDS going at the same time. The case that was dismissed was filed in Federal District Court for the Northern District of Texas (N.D.Tx). The second case was filed in Federal District Court for the Eastern District of Texas (E.D.Tx). Northern? Eastern? Does it really make a difference? You bet it does. Plaintiffs who file patent infringement suits in the E.D.Tx win more often than plaintiffs in any other Federal court in the country. If it has to be sued for patent infringement, EDS wants to be in any court other than the Eastern District. When the judge in the N.D.Tx dismissed the case before him in favor of the case in the E.D.Tx, EDS quickly appealed to the Federal Circuit. By affirming the Northern District decision, the appellate court is forcing EDS to proceed in the hostile Eastern District.

To further complicate matters, we should recognize that many commentators believe the DataTreasury patents are invalid and unenforceable. To be patentable, an innovation must be "novel" and "nonobvious." In other words, it should be something new and surprising and not an old idea or something that immediately pops to mind. Sending images of documents over the internet is not a particularly earth shattering break through, even if the documents are checks. Further, earlier patents and industry publications suggest that DataTreasury didn't come up with the process first. Critics of DataTreasury got a major boost in December 2006 when the Patent and Trademark Office (PTO), following a reexamination of DataTreasury's primary check imaging patent, concluded that it failed to meet the standards for patent protection. DataTreasury vowed to appeal the decision.

Barring a successful appeal to the Supreme Court, DataTreasury’s case against EDS will go forward in the Eastern District of Texas where the juries rarely fail to enforce a patent. It will be interesting to see what they do with a patent that even the PTO agrees isn’t valid.