As two large Massachusetts retailers grapple with the fallout from customer data security breaches, Bay State lawmakers have proposed legislation that would nail businesses for poor security practices and better protect customers from fraud.

On Feb. 17, grocery retailer Stop & Shop said it had discovered tampering with checkout-lane units for electronic funds transfer, the PIN pads customers often use to make purchases, at two Rhode Island stores. The tampering may have led to the theft of credit card, debit card, and PIN information. The company subsequently discovered evidence of payment-device tampering at three other Rhode Island locations and one store in Massachusetts. Stop & Shop said it's working with local police and the Secret Service to determine the extent of the crimes, and that it has contacted its credit and debit processors "to identify and protect affected customer accounts."

Stop & Shop hasn't said how the units were compromised. Though retail point-of-sale systems can be hacked by outsiders, it's more often the case that insiders install devices that let them steal or "skim" data, says Ira Winkler, president of Internet Security Advisors Group and a former National Security Agency analyst. Still, Stop & Shop said its investigation "has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering."

The case is reminiscent of the customer data security breach recently discovered by TJX, the parent company of T.J. Maxx, Marshalls, HomeGoods, and other stores. TJX said last week that an ongoing investigation has revealed that, while the company previously thought the computer intrusions started in May of last year and lasted till January, it was most likely hacked starting in July 2005. Even worse, the company thinks credit and debit card transactions at its U.S., Puerto Rican, and Canadian stores from January 2003 through June 2004--excluding debit card transactions with cards issued by Canadian banks--also were compromised.

WHO PAYS FOR FRAUD?

Most of the expenses associated with the fraudulent activity that results from stolen customer data, such as canceling or reissuing credit and debit cards, stopping payment, and reimbursing customers for charges to their cards, are absorbed by the banks that issue the cards to customers. Also, the merchant banks that let retailers accept credit and debit transactions can be fined by Visa, MasterCard, and other credit card organizations if the merchants they work with are found to be in violation of the Payment Card Industry's data security standards.

Massachusetts House bill 213, sponsored by Rep. Michael Costello and introduced before the TJX and Stop & Shop incidents came to light, proposes to make the businesses whose customer data is stolen responsible for the cost of fraudulent activity. A second bill, H 328, would give Massachusetts residents the ability to obtain security freezes on their credit at no charge.

The Massachusetts legislation may help compel companies to invest in better data security. Winkler says security becomes a "must have," rather than a "should have," in three ways: when government regulations require that good security be enforced, when insurance companies require it before they'll insure against losses, and when PCI standards dictate that a business could lose its ability to accept credit card payments.

If retailers won't get in line on their own, then holding them accountable for their customers' financial losses may be what's needed to stop the next big data breach.