As Ken Solomon read the letter last month from a company whose software he had bought, one sentence set off alarms: "Your credit or debit card information may be at risk."
The letter from ItsDeductible, a California manufacturer of tax-deduction software, informed customers that the company's office had been burgled June 11. A computer containing customers' confidential credit card information -- including Solomon's -- was taken.
The data was password-protected, and the break-in's circumstances indicated the thief was after hardware to resell and not the data on the hard drive, making misuse of the information a "remote" possibility, the letter reassured. But there's no guarantee, it warned.
Solomon says the letter offered "zero assurance or comfort."
But what really aggravated him was that he bought that software 16 months before the theft. "Keeping my charge card information on their computer for such a duration is nuts," says Solomon, a Pacifica, Calif., reader.
How long can corporations store your credit card information? Forever, if they want. Currently there are no laws or industry standards governing information storage in the private sector.
"This was an unfortunate incident," says Julie Miller, spokeswoman for Intuit, the software company that bought ItsDeductible in July 2003.
Solomon's data and that of about 47,000 other customers was being stored, she says, because the makers of ItsDeductible offered buyers a money-back guarantee if the software didn't save them a certain amount of money on their next tax return. The guarantee has a nearly two-year lifespan.
"In order to ensure we could still process the guarantee and refund, we needed to maintain that data," Miller says.
Otherwise, Intuit's privacy and security policies require customer data to be purged on an ongoing basis, says Miller, typically within days after the transaction is completed.
"That is a lame excuse for keeping information stored on file and unsecured," Los Angeles security expert Chris E. McGoey says of the guarantee.
McGoey, president of McGoey Security Consulting, says credit card information breaches and other confidential data vulnerabilities, in computers or not, pose a serious problem as identity theft grows. "We haven't even scratched the surface of how exposed our personal financial records are," he says.
Although legislation has been drafted in California and some other states that would require encryption of credit card and Social Security numbers, McGoey says, "it's not currently in place."
Julie Fergerson, co-chairman of the Merchant Risk Council, a nonprofit organization that helps educate merchants on the best practices for fighting card-not-present fraud, says the solution isn't as simple as deleting credit card data once a transaction is complete.
"There are actually legitimate business reasons why you would want to keep a customer's credit card number at least six months," she says. "At any time, a cardholder can say he didn't make this purchase" and the company needs proof if he did.
American Express spokeswoman Molly Faust says Amex generally recommends that "merchants retain supporting documentation about charges for 24 months in case a charge is disputed." But, she adds, "they should be using encryption and other security standards to protect the data."
Corporate America has begun to take that next step. "Visa, MasterCard, American Express and Discover all have brand-new compliance programs that they are rolling out, and they require the merchants to encrypt the credit card information," Fergerson says. "That's the thing they are doing in reaction to all these data compromises."
Intuit's Miller says no "unlawful access of any of these credit card customers" from the June burglary has been reported.
And McGoey says Solomon has little to worry about so long as his Social Security number, date of birth or driver's license number wasn't in the stolen data.
"Think about all the exposure," he says. "Your doctor and dentist have all your personal identifiers sitting in a file in their offices. Blockbuster Video has your name, address, telephone and credit card info for any employee to access. The phone company and other utilities have your identifiers. . . . Our records are scattered everywhere and most are unsecured."
There are things you can do to protect yourself, says McGoey, who recommends the oft-repeated consumer tips, among them checking credit reports for errors, balancing checkbooks, scouring credit card statements and shredding financial statements before disposal. "But most people," he adds, "either don't think about them or don't make the effort."
Got questions? A consumer complaint? A helpful tip? E-mail details to email@example.com or write Don Oldenburg, The Washington Post, 1150 15th St. NW, Washington, D.C. 20071.