The credit-card crash

No cash? No problem. Use your debit card or, if your balance is wanting, your credit card.

It's easy. It's convenient. It's dangerous.

Or at least it seems so with the rash of stupefying breaches of consumer information held by credit-card companies or their partners in creating a seamless, cashless society. The latest breach of CardSystems Solutions, a credit-card processor, put 40 million cardholders at risk. Before that, CitiFinancial confessed, tapes with data on 3.9 million customers were "misplaced" by a delivery person. Before that, ChoicePoint was duped by crooks into selling information about 145,000 consumers. Hackers gained access to a LexisNexis database and information about 320,000 people.

And these are just the incidents we know about.

Perhaps most horrifying is how the breaches highlight how carelessly some companies treat consumer data. CitiFinancial's missing tapes were not encrypted, making it easier to harvest the data.

ChoicePoint has a sideline business verifying the authenticity of businesses, but failed to vet its own data-buying customers who turned out to be pirates.

CardSystems Solutions, which processes credit-card transactions, is supposed to immediately purge the information after the transaction is completed. Now, company officials acknowledge they improperly saved the information for "research" purposes.

There ought to be a law — in fact, a bunch of them.

Thanks to California's pioneering law requiring consumer notification if personal data is put at risk, ChoicePoint was forced to notify victims. Initially, the company was going to confine notifications to California, before it relented and notified all consumers affected, including about 3,200 in Washington.

Washington's Legislature just approved a similar bill that takes effect July 25 as well as a bill permitting consumers to freeze their credit report so new credit cannot be opened without their knowledge — but only after there has been fraud.

National solutions are necessary. Sens. Charles Schumer, D-New York, and Bill Nelson, D-Florida, proposed a bill requiring consumer notification, federal registration and regulation of data-aggregator companies and a penalty of $1,000 per consumer affected.

Such a severe penalty is necessary. Consumers and merchants have put their faith in a system that might not deserve it.