Retailer knew last fall about security breach that recently roiled credit card companies
A computer security breach at Polo Ralph Lauren Corp. that has recently roiled two major credit card companies actually occurred last fall. But Polo only made the problem public yesterday.
''The company is confident that its credit card system is secure, and that our customers' credit card information is properly protected," said Nancy Murray, a Polo spokeswoman, in a statement.
This week, one of the credit card firms, HSBC North America, said it is asking 180,000 of its customers to replace their GM MasterCards.
Another major credit card issuer, Visa USA, has said it is still considering what action to take.
The disclosure from Polo Ralph Lauren came just a few days after congressional hearings on domestic identity theft, a response to a rising tide of security and privacy lapses.
''There's too much data flowing around, and too little privacy," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, who favors federal legislation that would force US companies to report instances of lost data. ''If companies were more accountable to the people about whom they have the information, I think it would create an enormous incentive" to upgrade their security policies, Rotenberg said.
Also, two prominent Democratic lawmakers yesterday proposed legislation that would place new restrictions on US companies that process customers' personal information overseas.
US Representative Edward Markey, Democrat of Massachusetts, and US Senator Hillary Rodham Clinton, a Democrat from New York, unveiled the Safeguarding Americans From Exporting Identification Data Act, or SAFE-ID Act, during a teleconference yesterday.
The proposed legislation is a response to the increasing number of US companies that use foreign outsourcing firms to process customers' financial and medical records. For example, Practical Accountant magazine estimates that 200,000 US tax returns will be sent to India for processing this year, ten times as many as last year. Markey and Clinton fear that moving the work offshore creates new dangers for fraud and identity theft.
The bill would require American companies to inform customers when they send their personal information to third-party firms based outside the United States.
In addition, the Federal Trade Commission would be ordered to grade the information privacy policies of other countries. US businesses would be permitted to send customer data to countries with strong privacy protections, but consumers would have the right to demand that their data be processed domestically. American companies would not be allowed to send a customer's information to a country with weak privacy laws without first obtaining the customer's permission. Consumers would have the right to sue companies that violated the law.
Rotenberg, of the Electronic Privacy Information Center, praised the outsourcing legislation, but said it doesn't protect Americans against domestic privacy abuses.
Globe staff writer Bruce Mohl contributed to this report. Hiawatha Bray can be reached at bray@globe.com. 