Who's Responsible For Customer Data? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Who's Responsible For Customer Data?

As data hacks proliferate, Massachusetts lawmakers target retailers for restitution

As two large Massachusetts retailers grapple with the fallout from customer data security breaches, Bay State lawmakers have proposed legislation that would nail businesses for poor security practices and better protect customers from fraud.

On Feb. 17, grocery retailer Stop & Shop said it had discovered tampering with checkout-lane units for electronic funds transfer, the PIN pads customers often use to make purchases, at two Rhode Island stores. The tampering may have led to the theft of credit card, debit card, and PIN information. The company subsequently discovered evidence of payment-device tampering at three other Rhode Island locations and one store in Massachusetts. Stop & Shop said it's working with local police and the Secret Service to determine the extent of the crimes, and that it has contacted its credit and debit processors "to identify and protect affected customer accounts."

Stop & Shop hasn't said how the units were compromised. Though retail point-of-sale systems can be hacked by outsiders, it's more often the case that insiders install devices that let them steal or "skim" data, says Ira Winkler, president of Internet Security Advisors Group and a former National Security Agency analyst. Still, Stop & Shop said its investigation "has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering."

The case is reminiscent of the customer data security breach recently discovered by TJX, the parent company of T.J. Maxx, Marshalls, HomeGoods, and other stores. TJX said last week that an ongoing investigation has revealed that, while the company previously thought the computer intrusions started in May of last year and lasted till January, it was most likely hacked starting in July 2005. Even worse, the company thinks credit and debit card transactions at its U.S., Puerto Rican, and Canadian stores from January 2003 through June 2004--excluding debit card transactions with cards issued by Canadian banks--also were compromised.

The Big Payback
How Massachusetts lawmakers want companies responsible for security lapses to pay for data fraud
Cover the costs to cancel or reissue credit or debit cards
Stop payments or block transactions with respect to such accounts
Open or reopen accounts
Refund or credit customers for unauthorized transactions on those accounts

Most of the expenses associated with the fraudulent activity that results from stolen customer data, such as canceling or reissuing credit and debit cards, stopping payment, and reimbursing customers for charges to their cards, are absorbed by the banks that issue the cards to customers. Also, the merchant banks that let retailers accept credit and debit transactions can be fined by Visa, MasterCard, and other credit card organizations if the merchants they work with are found to be in violation of the Payment Card Industry's data security standards.

Massachusetts House bill 213, sponsored by Rep. Michael Costello and introduced before the TJX and Stop & Shop incidents came to light, proposes to make the businesses whose customer data is stolen responsible for the cost of fraudulent activity. A second bill, H 328, would give Massachusetts residents the ability to obtain security freezes on their credit at no charge.

The Massachusetts legislation may help compel companies to invest in better data security. Winkler says security becomes a "must have," rather than a "should have," in three ways: when government regulations require that good security be enforced, when insurance companies require it before they'll insure against losses, and when PCI standards dictate that a business could lose its ability to accept credit card payments.

If retailers won't get in line on their own, then holding them accountable for their customers' financial losses may be what's needed to stop the next big data breach.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2019 State of DevOps
2019 State of DevOps
DevOps is needed in today's business environment, where improved application security is essential and users demand more applications, services, and features fast. We sought to see where DevOps adoption and deployment stand, this report summarizes our survey findings. Find out what the survey revealed today.
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
How to Convince Wary Customers to Share Personal Information
John Edwards, Technology Journalist & Author,  6/17/2019
The Art and Science of Robot Wrangling in the AI Era
Guest Commentary, Guest Commentary,  6/11/2019
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll