Who's Responsible For Customer Data? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Who's Responsible For Customer Data?

As data hacks proliferate, Massachusetts lawmakers target retailers for restitution

As two large Massachusetts retailers grapple with the fallout from customer data security breaches, Bay State lawmakers have proposed legislation that would nail businesses for poor security practices and better protect customers from fraud.

On Feb. 17, grocery retailer Stop & Shop said it had discovered tampering with checkout-lane units for electronic funds transfer, the PIN pads customers often use to make purchases, at two Rhode Island stores. The tampering may have led to the theft of credit card, debit card, and PIN information. The company subsequently discovered evidence of payment-device tampering at three other Rhode Island locations and one store in Massachusetts. Stop & Shop said it's working with local police and the Secret Service to determine the extent of the crimes, and that it has contacted its credit and debit processors "to identify and protect affected customer accounts."

Stop & Shop hasn't said how the units were compromised. Though retail point-of-sale systems can be hacked by outsiders, it's more often the case that insiders install devices that let them steal or "skim" data, says Ira Winkler, president of Internet Security Advisors Group and a former National Security Agency analyst. Still, Stop & Shop said its investigation "has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering."

The case is reminiscent of the customer data security breach recently discovered by TJX, the parent company of T.J. Maxx, Marshalls, HomeGoods, and other stores. TJX said last week that an ongoing investigation has revealed that, while the company previously thought the computer intrusions started in May of last year and lasted till January, it was most likely hacked starting in July 2005. Even worse, the company thinks credit and debit card transactions at its U.S., Puerto Rican, and Canadian stores from January 2003 through June 2004--excluding debit card transactions with cards issued by Canadian banks--also were compromised.

The Big Payback
How Massachusetts lawmakers want companies responsible for security lapses to pay for data fraud
Cover the costs to cancel or reissue credit or debit cards
Stop payments or block transactions with respect to such accounts
Open or reopen accounts
Refund or credit customers for unauthorized transactions on those accounts

Most of the expenses associated with the fraudulent activity that results from stolen customer data, such as canceling or reissuing credit and debit cards, stopping payment, and reimbursing customers for charges to their cards, are absorbed by the banks that issue the cards to customers. Also, the merchant banks that let retailers accept credit and debit transactions can be fined by Visa, MasterCard, and other credit card organizations if the merchants they work with are found to be in violation of the Payment Card Industry's data security standards.

Massachusetts House bill 213, sponsored by Rep. Michael Costello and introduced before the TJX and Stop & Shop incidents came to light, proposes to make the businesses whose customer data is stolen responsible for the cost of fraudulent activity. A second bill, H 328, would give Massachusetts residents the ability to obtain security freezes on their credit at no charge.

The Massachusetts legislation may help compel companies to invest in better data security. Winkler says security becomes a "must have," rather than a "should have," in three ways: when government regulations require that good security be enforced, when insurance companies require it before they'll insure against losses, and when PCI standards dictate that a business could lose its ability to accept credit card payments.

If retailers won't get in line on their own, then holding them accountable for their customers' financial losses may be what's needed to stop the next big data breach.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
8 AI Trends in Today's Big Enterprise
Jessica Davis, Senior Editor, Enterprise Apps,  9/11/2019
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
Register for InformationWeek Newsletters
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll