There's a big hearing Wednesday in Columbus that could affect how secure your online accounts are now and into the future. It's called Senate Bill 220 and it aims to address businesses' cybersecurity standards.
But a local man who News 5 has interviewed in the past is about to testify against the bill.
"This is a danger for all of us," the man said at the time.
He didn't want to show his face but he wanted to share how USAA failed to protect his bank account.
"Someone had called 4 times on my account,” he said. Well, now he's coming out of the shadows.
"My name is Michael Pircio."
Pircio is from northeast Ohio and is testifying openly against Ohio Senate Bill 220.
It gives "safe harbor" to "entities that implement a cybersecurity program that complies with (something called) the' Framework for Improving Critical Infrastructure Cybersecurity..." or another "data security framework."
Pircio said, in other words, businesses get the benefit of the doubt.
"Basically say, 'Hey, here's our cybersecurity game plan. Now, we have safe harbor.’"
Pircio told us he feels it’s all too vague.
"They're ambiguous. There's nothing concrete. There's nothing set in stone. There's no metrics for it really."
When you look at the national standard, “the framework is not a one-size-fits-all", the "framework will vary" and it's a "living document".
Pircio said he feels it doesn’t protect consumers.
"People of this state need to be able to stand their ground against these companies," he said. He wants people to retain their right to sue.
Senate Bill 220 states it is "intended to be an incentive...to encourage businesses to achieve a higher level of cybersecurity". But at the same time, it's voluntary.
Pircio told us his testimony will reflect his frustrations.
"The point of all this testimony isn't about money. It's about the fact that my information is gone now, possibly to some very dangerous people,” he said. “Unfortunately, due to the arcane laws in this state and in this country, I cannot personally hold these companies liable for the damage it may cause."
News 5 contacted both senators who sponsored the bill. Senator Bob Hackett left us a message but we could not get ahold of him again. We did not hear back from Senator Kevin Bacon.
Here’s a copy of Pircio’s testimony:
ISIS, Al Qaeda, Al Nusra Front, Al Shabaab: These are the names of the enemy the United States’ Military’s men and women must face daily. The problem is, is that these enemies no longer stay overseas, like a plague their message of hate and death can cross borders, time zones, and cultures. These groups can find the most vulnerable in a society and change them for the worst. They make weapons out of these least of our culture. In doing so, they have put not only active duty military at risk but also veterans, like myself. Some veterans, like myself, have a certain expectation of privacy due to the nature of our jobs in the military. Veterans do not have the robust defense of the military or the safety of a base to run back to and we also harbor those secrets that made sure you and your families could sleep safe just one more night.
Early November of last year, I was attempting to purchase some goods from a gas station when I ran into a problem. Both of my debit cards were declined. I had just gotten paid and I knew I had money in the bank. I called my bank, USAA, immediately to demand to know why my cards were declined. The representative transferred me to an escalation department because of the issue. I soon found out I had been a victim of identity theft; however, this time it was so much worse.
That day, one of the customer service representatives (CSR) from the bank had handed over, over the phone a temporary username and password for my account. Apparently, the man called in and informed the CSR that he had forgotten my username, password and did not know my phone password when asked multiple times. At that point, most bank employees would have directed the caller to scan in his photo I.D. to prove that was him. USAA did not. They allowed the call to proceed. By knowing only my birthdate and my wife’s name and birthdate (per the office of their CEO), they were able to access my account. Then the CSR gave them my temporary username and password for my account and walked them through account set up. After, the criminal moved 1100 dollars from one account to another and then back again. Still, the phone call was not ended. It was not until the phone call had ended, had a financial crimes report been filed and my account locked. A few minutes later 700 dollars was removed from my account at a point of sale in Arizona.
These 700 dollars were returned to me, and to be quite honest that isn’t the main issue. The main issue was the fact that, that account had everything about me. Since I had insurance and did banking with USAA, my driver’s license number, my prior squadron, my old duty title and my current address were all on the account. To top it all off, the fact that I am medically retired and able to get on to any base was on that account. This information is worth thousands of dollars to the right bidder on the black market. During my opening statements I made clear that the enemy we fight today isn’t the enemy we are used to fighting years ago. That enemy is here, it is clear and certain measures must be taken. One of those measures is the improvement of privacy laws and our financial infrastructure.
You see, my family and I have no base to go back to, we have no military to back us up. When I was in service our squadron details (Names, addresses etc.) were all leaked to ISIS. They only put out a hit on a few pilots at the time, but the rest of us were on there and we were vulnerable. Most of us lived on base and when we went off base we had to make sure we had no Identifying markings on us or our cars, we had to scrub our social media and it was recommended that we don’t talk to strangers in bars, restaurants etc. who are asking too much information. At the end of the day though, we knew we could count on our brothers and sisters in uniform and we had a base to go to if we were really in danger.
Now, my family and I are in real danger. These people want to hunt people like me down and kill not only me, but my family as well. The worst part is, is that we have no way of knowing who the next threat is or where they come from. We can’t up and sell our house, we can’t just move somewhere else to escape these unknown threats. These terrors wouldn’t be there had it not been for stricter privacy laws for Americans.
The point of all this testimony isn’t about money, it’s about the fact that my information is gone now, possibly to some very dangerous people. Unfortunately, due to the arcane laws in this state and this country I cannot personally hold these companies liable for the damage it may cause, and the laws that they so blatantly broke. We give these institutions our personally identifiable information due to laws, due to procedure, due to regulations, and if we so much as forget to pay a bill or break a part of note, there are collectors hunting down any individual they see fit in their search for retribution. When it comes to the consumer, and the financial institution does the consumer wrong, the state decides to give them “safe harbor”.
Last time I checked, this country was run for the people and by the people and our laws need to reflect that. At this point in time it looks like you are ready to pass a law for the companies writing the biggest checks. I’m not sitting here complaining about missing a payment, or not having money for bills, or not keeping up with my financial wellness. I am telling you that we, the people, our information is the most valuable thing we own in this world. Our information is the most significant form of currency in this modern age, whether it is between intelligence agencies in our own government and foreign governments, between financial institutions buying and selling paper, or even social media selling demographic information to make the most money. That all is fine; however, we put a certain level of trust into these institutions and when they do not uphold their end of the bargain they need to face justice, not only on a private right of action but on a criminal side as well.
In the military, we had a saying “Don’t push a problem, unless you are going to fix it”, so here are my three proposals instead of this bill, which would prop up the people of this state instead of the corporations. One, annul all arbitration agreements that were made without a notification by mail and an acknowledgement either digitally or in person (at the branch or otherwise). Two, annul all parts of arbitration agreements that force the consumer to forgo all rights to filing tort claims against the corporation on the grounds of enablement of identity theft. Three, allow for a private right of action against these companies who deliberately disobey the law by mishandling the personally identifiable information, allowing a suit at minimum of one million dollars, which by industry standards is the minimum damage a complete identity theft can cause a person.
We have HIPAA laws that protect people’s information in a medical setting, and that has become such the norm that it is pretty much impossible to phish for information or get around those security checks. You cannot ask for someone’s room number at a hospital much less uncover their social through medical records. Why then, are our privacy laws in dealing with our private information so less valuable.
Senators, in closing, I would like to point out that the people who elected you, the people who have defended this country and the people that have the most to lose by these criminals also rely on these financial institutions to keep them safe and to provide true protection to the consumer. Unfortunately, the only ways to make sure of this is to give the people, of this great state, the equal footing to demand respect of their information and the equity it holds. When that equity is translated into a cost, corporations and financial institutions are likely to listen and to hold their people accountable much in the same way they hold those in the mortgage industry or credit industry responsible for their actions. If you decide to push for this bill going forward, I sincerely question your position as a representative of the people of Ohio.