US state eyes law to charge retailers for data breaches

Massachusetts may make retailers liable to banks for the costs of security breaches

A Massachusetts bill that would see retailers held financially liable to banks for the costs of a credit card security breach is receiving decidedly mixed support.

Some see it as the inevitable fallout from a seemingly neverending spate of data-breach disclosures. Others are blasting the proposed plan as unfairly penalising retailers while letting banks and credit card companies off the hook.

The legislation was proposed by Democratic state representative Michael Costello, after consultations with the banking industry, but retailers are less than impressed

The bill would require retailers who suffer a data breach to reimburse card-issuing banks for the costs involved in blocking and re-issuing cards, closing and opening new accounts and any other measures they’re forced to take because of the breach. Banks and credit unions have typically until now been forced to assume those costs, which sometimes total more than US$30 ($NZ42.40) per card.

The Massachusetts bill is the first of its kind to be proposed in the country, though similar legislation is being considered at the federal level, too. The bill’s fate is uncertain and if it does win approval, it would actually apply to all businesses — including banks and card-processing companies operating in Massachusetts, regardless of where they are based.

But it is retailers who are seen as the main targets of the measure, especially since it comes in the aftermath of a massive data breach at retailer TJX Companies and a somewhat less serious one at Stop & Shop Supermarket Companies.

“This is what happens if industry doesn’t respond fast enough to [information security] challenges,” says Brian Kilcourse, president of the Retail Systems Alert Group, a Massachusetts-based consultancy. A recent survey by the company showed that about 43% of retailers still don’t have any sort of incident response plan to deal with breaches such as the one that hit TJX.

“It isn’t a far stretch of the imagination to think that if the industry cannot regulate itself and cannot follow commercial standards such as PCI, the government will step in,” he says.

And the consequence of government intervention could wind up being “something like” the information security requirements required by the Sarbanes-Oxley law, he says.

“It’s impressive that Massachusetts has taken the first step forward” in dealing with retail security issues, says Alex Bakman, CTO at Ecora Software, a security vendor. Despite a considerable push by credit card companies such as Visa International and MasterCard Worldwide to push adoption of the Payment Card Industry (PCI) data security standard, a large number of retailers remain non-compliant, he says.

“Unfortunately, in the retail community they are all trying to keep a lid on any kind of expenditures” and have paid scant attention to information security, he says. “I am very much for this legislation. I think it was inevitable.”

However, Jon Hurst, president of the Massachusetts Retailers Association, blasted the idea and said it is unreasonable to assign 100% of the costs incurred from security breaches to the retailers alone.

“We, of course, strongly oppose it,” he says. To put in a state law and have it favour the banks is “sending money one way,” he says. “That’s just plain wrong and we can’t accept that”, especially because there are multiple parties involved in a payment card transaction.

While retailers need to shore up security, card-issuing banks have their own responsibility for improving user authentication and for reducing fraudulent card use on their networks, Hurst says.

“It would be one thing if the issuing banks were also held 100% responsible [for losses incurred by retailers] when a card is fraudulently used.”

What also makes the proposed bill egregious is the fact that credit card companies and banks are already recovering fraud-related costs upfront from retailers via the so-called interchange fees associated with card use, he says.

Contractual agreements between all parties in the payment card chain also ensure that merchants who suffer breaches already pay for the costs involved in dealing with them.

“What the bill is suggesting is a third level of recovery and that is just unacceptable,” Hurst says.

Adam Martignetti, chief of staff at Costello’s office, says the impetus for the bill comes from growing identity theft concerns spawned by breaches such as the one disclosed by TJX.

“This came out of our conversations with the Massachusetts Bankers Association,” he says.

“We just felt there was a need for an incentive for all people who hold [customer data] to hold it safely and securely with all the right security protocols that are available. If that incentive had to be a financial one, then so be it.”

Similar legislation was proposed by Costello two years ago, but that bill never made it to the House floor for a vote. This time around it should get more attention because of the concerns sparked by the TJX incident, he says.

Join the newsletter!

Error: Please check your email address.

Tags data breachesmassachusettsSecurity ID

Show Comments
[]