Sophos Cloud Optix
When it comes to massive data breaches – such as the ones at Target and Neiman Marcus – in which millions of customers’ credit and debit card numbers were breached, who should foot the bill?
Banks and credit card companies have been stuck paying for the damages stemming from hacking of payment data in such crimes, but a new law introduced in California last week seeks to pass the buck right on back to the retailers that spawn the breaches.
The bill, AB 1710, would make retailers responsible for notifying customers of any data breach incident, as well as hold them liable for reimbursing customers’ financial damages.
The bill would require the business that maintains the data to notify affected people within 15 days of the breach. As it now stands, banks and credit card companies are also liable for consumer losses caused by data breaches.
During a news conference announcing the bill, Assemblyman Roger Dickinson (D-Sacramento), who co-authored the bill along with Assemblyman Bob Wieckowski (D-Fremont), said that consumers have the right to know where their information has been stolen from, as well as have the choice as to whether or not to continue to do business with the source of the compromised data or the breach.
He’s quoted by Sci-Tech Today:
Financial institutions should not be taking the heat for a data breach that occurs at a retailer.
The bill has been titled the Consumer Data Breach Protection Act.
According to Law360, the legislation is a variation of one that’s already been vetoed in two different forms by former Governor Arnold Schwarzenegger.
It won’t get passed without a fight this time around, either, that’s for sure.
Sci-Tech Today quoted Bill Dombrowski, president of the California Retailers Association, the membership of which includes nearly every national retail chain.
The Association employs 2,776,000 people in California – nearly one-fifth of the total employment in the state.
Those retailers are ready to rumble, Dombrowski said:
It'll be a big fight, a tough fight.
One of the problems the retailers have with the bill is that it only applies to private businesses, Dombrowski said, and lets the government off the hook.
At any rate, he told Law360, why point the finger exclusively at retailers? Financial organisations also have to take part in the work that follows a breach, he said:
We're opposed to the bill because it arbitrarily assesses financial penalties on the retailer, where in the real world, what happens after a breach is there's a forensic examination done and the banks and credit card companies and retailers all have to participate. That investigation determines who is responsible.
Encryption might seem like a panacea, but it’s not always that simple.
As Naked Security explained in the wake of the Target breach, credit card data isn’t actually encrypted all the time, even on systems compliant with PCI-DSS, the Payment Card Industry Data Security Standards.
Usually, it’s briefly unencrypted inside the PoS terminal itself: the device with the keypad into which you actually insert or swipe your card.
Putting malware into point-of-sale (PoS) terminal hardware devices is possible – that’s what happened at Target – and enables crooks to skim off payment card data as early in the process as possible.
Sophos Labs’ Numaan Huq wrote a fascinating article about the evolution of this particular type of malware, known as PoS RAM scrapers.
Regardless of whether AB 1710 gets passed in its recent incarnation or not, I hope that retailers are paying at least as much attention, if not more, to the development of this and other retail-focused malware as they are to the laws governing who gets stuck with the bill when the malware hits its mark.
Image of money courtesy of Shutterstock.
That’s just silly. If your customer is a billionaire and your business gets his or her data stolen you could be on the hook for his billions. Also, some people have millions of customers. There should be a cap on damages, and consumers should know that going in. Perhaps something like an online transaction bank account should become more commonplace. An account with its own debit card that you put a limited amount of money in that to minimize your financial risk if it is compromised. Something that isn’t tied to your lifes savings and big bank account.
Hear, Hear! My local bank had to re-issue cards (including mine) because of the Target breach. Target should have paid my bank for the cost of working with me and reissuing the card.
So something like the already available pre-paid cards? 😉
I half agree with you, Phillipduran. There needs to be an incentive for the financial institutions who are best place to see these breeches to minimize the damage caused by fraud. But there needs to be much stiffer penalties out there for companies that are holding sensitive data and lose it.
Companies need a dollar figure on what messing up means so that they can see just how hazardous this data is and justify the cost of doing the right thing. I would also hope it would cause retailers to reevaluate how much of that data they actually need and for how long.
I agree with the retailers association, however, that such a law should apply to any entity that looses data (government, schools, medical practices, legal practices, retailers, employers, etc), not just to retailers.
What they all need to do is start getting serious about security. How about creating standards all businesses must follow? If they don’t do that much they can be held liable for everything. That would force everyone to at least start doing something. Most businesses probably ignore security because it can be expensive. It won’t look that expensive anymore compared to what they could be paying.
Totally makes the case for BitCoins and cutting Financial Institutions completely out of the transaction between retailer and customer. The only purpose of Banks in retail is to skim 2%+ off every sale for no useful consumer purpose; and now Government is again trying to protect the most wealthy few by again off-setting Banks liability for yet more failed products. Yes, credit card theft is simply a very badly designed Banking Product that has totally and completely failed in it’s official Primary purpose, and is only a complete success in it’s unofficial Primary Purpose of making the Banks rich at the expense of the consumer.
Cash only retail is always an option. Cut out the skimmers and the scammers at the same time