Who's Responsible For Customer Data? - InformationWeek
04:25 PM

Who's Responsible For Customer Data?

As data hacks proliferate, Massachusetts lawmakers target retailers for restitution

As two large Massachusetts retailers grapple with the fallout from customer data security breaches, Bay State lawmakers have proposed legislation that would nail businesses for poor security practices and better protect customers from fraud.

On Feb. 17, grocery retailer Stop & Shop said it had discovered tampering with checkout-lane units for electronic funds transfer, the PIN pads customers often use to make purchases, at two Rhode Island stores. The tampering may have led to the theft of credit card, debit card, and PIN information. The company subsequently discovered evidence of payment-device tampering at three other Rhode Island locations and one store in Massachusetts. Stop & Shop said it's working with local police and the Secret Service to determine the extent of the crimes, and that it has contacted its credit and debit processors "to identify and protect affected customer accounts."

Stop & Shop hasn't said how the units were compromised. Though retail point-of-sale systems can be hacked by outsiders, it's more often the case that insiders install devices that let them steal or "skim" data, says Ira Winkler, president of Internet Security Advisors Group and a former National Security Agency analyst. Still, Stop & Shop said its investigation "has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering."

The case is reminiscent of the customer data security breach recently discovered by TJX, the parent company of T.J. Maxx, Marshalls, HomeGoods, and other stores. TJX said last week that an ongoing investigation has revealed that, while the company previously thought the computer intrusions started in May of last year and lasted till January, it was most likely hacked starting in July 2005. Even worse, the company thinks credit and debit card transactions at its U.S., Puerto Rican, and Canadian stores from January 2003 through June 2004--excluding debit card transactions with cards issued by Canadian banks--also were compromised.

The Big Payback
How Massachusetts lawmakers want companies responsible for security lapses to pay for data fraud
Cover the costs to cancel or reissue credit or debit cards
Stop payments or block transactions with respect to such accounts
Open or reopen accounts
Refund or credit customers for unauthorized transactions on those accounts

Most of the expenses associated with the fraudulent activity that results from stolen customer data, such as canceling or reissuing credit and debit cards, stopping payment, and reimbursing customers for charges to their cards, are absorbed by the banks that issue the cards to customers. Also, the merchant banks that let retailers accept credit and debit transactions can be fined by Visa, MasterCard, and other credit card organizations if the merchants they work with are found to be in violation of the Payment Card Industry's data security standards.

Massachusetts House bill 213, sponsored by Rep. Michael Costello and introduced before the TJX and Stop & Shop incidents came to light, proposes to make the businesses whose customer data is stolen responsible for the cost of fraudulent activity. A second bill, H 328, would give Massachusetts residents the ability to obtain security freezes on their credit at no charge.

The Massachusetts legislation may help compel companies to invest in better data security. Winkler says security becomes a "must have," rather than a "should have," in three ways: when government regulations require that good security be enforced, when insurance companies require it before they'll insure against losses, and when PCI standards dictate that a business could lose its ability to accept credit card payments.

If retailers won't get in line on their own, then holding them accountable for their customers' financial losses may be what's needed to stop the next big data breach.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2017 State of IT Report
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll