Network News

X My Profile
View More Activity

Retailers, Banks Trade Blame in Data Thefts

The Washington Post today ran a story I wrote about data breach legislation being crafted on Capitol Hill. Lawmakers are looking to respond to the almost daily disclosures of companies, schools and government agencies suffering data breaches or otherwise exploiting consumers' personal data. Since February 2005, when data mining giant ChoicePoint divulged that it had sold data on 145,000 consumers to criminals, there have been more than 100 million instances in which Americans have had their personal data compromised due to data breaches and mishaps, according to Privacy Rights Clearinghouse.

It's difficult to find a policy issue that's more timely than data privacy and security. Based on my recent interviews, it is clear that this issue is shaping up to be a slugfest between the retail industry and small banks.

A recent high-profile data breach at TJX, the Massachusetts-based parent of discount retailers TJ Maxx and Marshalls, happened in the backyard of House Financial Services Committee Chairman Barney Frank (D-Mass.). According to Frank, retailers like TJX are not doing enough to protect their customers' data (TJX said hackers had broken into its credit and debit card processing network for six months last year and in a separate period in 2003). Frank wants retailers to bear more of the costs that banks incur when canceling new accounts, issuing new cards and dealing with the fallout from angry and confused customers. I suspect that his argument is likely to resonate strongly with many consumers.

Retailers tell a different story. Mallory Duncan, senior vice president of the National Retail Federation, sums up their point of view: "Most of the larger banks have very sophisticated, round-the-clock fraud monitoring systems in place, but a lot of the smaller institutions don't have those systems," he said. "These institutions have abdicated their responsibilities in this regard, and now they want retailers to pay for it."

The rest of the story is here. Security Fix will be keeping a close eye on this key issue. I will be moderating a panel on possible legislative solutions to data privacy and breach problems at the RSA Security conference in San Francisco next Tuesday. If you're heading out there as well, please drop by the panel to join in the conversation; I plan to leave plenty of time for Q&A.

By Brian Krebs  |  February 2, 2007; 10:28 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Birth of the Verbal Hack?
Next: Super Bowl Site Trojan Aims to Nab Passwords


The TJ Maxx security breach has made me take notice as to the inconsistent notification by Banks, Credit Card companies, and Credit Unions. One Credit Union sent me a bad letter with not many details. Citibank didn't even notify me and I had to find out online when I went to review my account statement and saw charges xfered to a new account#. When I went to make a payment on my Citibank account I got an error with no explanation. The support person in some foreign country said to try again in a 1/2 hr which did not help. Citibank did not have any notice online explaining what was going on. So notification is a big issue to me! Unfortunately this time the Govt needs to get involved and lawsuits need to be filed!

The statement above about "Most of the larger banks have very sophisticated, round-the-clock fraud monitoring systems in place..." is bull crap. I can do a better job of monitoring my accounts online than any fraud monitoring service, VISA or a bank!

Posted by: ejg80s | February 2, 2007 10:40 PM | Report abuse

It is unfortunate, but there appears to be no reason to expect business to police itself in relation to ID thefts and the identity crisis in general. Over 100 million private records lost since Feb. 2005 (ChoicePoint), and, as this article points out, still growing strong. The US Congress has offered no valid legislative solutions, most likely because of the government's use of this sensitive data to spy on American households.

There is only one answer to stopping the problem and that is giving consumers control over their names and personal data, so that they can decide when and how it is used. At the same time, the individual should be paid each time this private information is sold.

If you're interested, read more in my blog, "The Dunning Letter" at:

Jack E. Dunning
Cave Creek, AZ

Posted by: Jack E. Dunning | February 3, 2007 6:57 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company