04:25 PM
Connect Directly

Who's Responsible For Customer Data?

As data hacks proliferate, Massachusetts lawmakers target retailers for restitution

As two large Massachusetts retailers grapple with the fallout from customer data security breaches, Bay State lawmakers have proposed legislation that would nail businesses for poor security practices and better protect customers from fraud.

On Feb. 17, grocery retailer Stop & Shop said it had discovered tampering with checkout-lane units for electronic funds transfer, the PIN pads customers often use to make purchases, at two Rhode Island stores. The tampering may have led to the theft of credit card, debit card, and PIN information. The company subsequently discovered evidence of payment-device tampering at three other Rhode Island locations and one store in Massachusetts. Stop & Shop said it's working with local police and the Secret Service to determine the extent of the crimes, and that it has contacted its credit and debit processors "to identify and protect affected customer accounts."

Stop & Shop hasn't said how the units were compromised. Though retail point-of-sale systems can be hacked by outsiders, it's more often the case that insiders install devices that let them steal or "skim" data, says Ira Winkler, president of Internet Security Advisors Group and a former National Security Agency analyst. Still, Stop & Shop said its investigation "has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering."

The case is reminiscent of the customer data security breach recently discovered by TJX, the parent company of T.J. Maxx, Marshalls, HomeGoods, and other stores. TJX said last week that an ongoing investigation has revealed that, while the company previously thought the computer intrusions started in May of last year and lasted till January, it was most likely hacked starting in July 2005. Even worse, the company thinks credit and debit card transactions at its U.S., Puerto Rican, and Canadian stores from January 2003 through June 2004--excluding debit card transactions with cards issued by Canadian banks--also were compromised.

The Big Payback
How Massachusetts lawmakers want companies responsible for security lapses to pay for data fraud
Cover the costs to cancel or reissue credit or debit cards
Stop payments or block transactions with respect to such accounts
Open or reopen accounts
Refund or credit customers for unauthorized transactions on those accounts

Most of the expenses associated with the fraudulent activity that results from stolen customer data, such as canceling or reissuing credit and debit cards, stopping payment, and reimbursing customers for charges to their cards, are absorbed by the banks that issue the cards to customers. Also, the merchant banks that let retailers accept credit and debit transactions can be fined by Visa, MasterCard, and other credit card organizations if the merchants they work with are found to be in violation of the Payment Card Industry's data security standards.

Massachusetts House bill 213, sponsored by Rep. Michael Costello and introduced before the TJX and Stop & Shop incidents came to light, proposes to make the businesses whose customer data is stolen responsible for the cost of fraudulent activity. A second bill, H 328, would give Massachusetts residents the ability to obtain security freezes on their credit at no charge.

The Massachusetts legislation may help compel companies to invest in better data security. Winkler says security becomes a "must have," rather than a "should have," in three ways: when government regulations require that good security be enforced, when insurance companies require it before they'll insure against losses, and when PCI standards dictate that a business could lose its ability to accept credit card payments.

If retailers won't get in line on their own, then holding them accountable for their customers' financial losses may be what's needed to stop the next big data breach.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.