The Checkout

Bearing the Cost of Stolen Data

TJX, the parent company of discount retailers TJ Maxx and Marshalls, said Wednesday that the data breach it reported last month is bigger than it first thought.

As my colleague Ellen Nakashima reported yesterday, TJX initially said it was hacked into sometime between May 2006 and January 2007. Now, however, it thinks its computer system was also hacked a whole two years earlier, in July 2005 and on "various subsequent dates" that year.

So much for the laws in more than 30 states that require companies to notify customers as soon as possible after a breach. The company doesn't even know yet how many customers are affected, but estimates it runs into the millions. Already, some customers have seen fraudulent charges appear on their debit and credit card accounts--some by criminals as far away as Hong Kong and Sweden, according to the Wall St. Journal (subscription required). Banks and credit unions have had to cancel hundreds of thousands of credit cards belonging to TJX shoppers. The company is being sued by customers.

Besides consumers, banks are plenty angry because they typically absorb any subsequent credit card fraud losses. Lawmakers in Massachusetts, where TJX is based, think they have an idea about how to get retailers to keep a tighter rein on their customers' information: Make them pay for data breaches.

According to the Wall St. Journal, the proposal in Massachusetts would:

"require companies whose security systems are breached to assume full financial responsibility for any fraud-related losses, costs associated with the canceling and reissuing of cards, and -- in cases of identity theft -- the freezing of accounts and credit information. The bill would apply to any company doing business in Massachusetts, wherever it may be based."

If the law passes, other states could follow suit; even House Financial Services Chair Barney Frank (D-Mass.) is talking about national data security legislation.

Banks are not without blame. Avivah Litan, an analyst for IT research firm Gartner, told Ellen, "banks have to strengthen cardholder authentification so even if the data is stolen, it's useless."

But large retailers could use more incentive to get their acts together since most of them have not complied with a set of voluntary rules for data protection that the credit card industry devised. The rules include encrypting transmission of cardholder data and restricting access to data to those with a "need to know."

As Nessa Feddis, senior federal counsel for the American Bankers Association told Ellen, "retailers are not protecting the data."

Do you think Massachusetts legislators have the right idea? Should retailers be punished for data breaches?

By Annys Shin |  February 23, 2007; 7:00 AM ET Consumer News
Previous: Please Act Responsibly Most of the Time | Next: BW Picked the Best. You Choose the Worst


Please email us to report offensive comments.

Holding them responsible would add a nice incentive to invest in more secure networks. While I'm not a fan of banks in general, helping them keep their losses down would help keep their fees down (in theory). But then you likely will have the retailers passing those costs on in their prices or S&H fees, or both. One way or another the customer will likely end up paying for the increased security, but it's probably worth the cost if it saves on identity theft (ounce of prevention, pound of cure).

Posted by: Moose | February 23, 2007 12:16 PM

One problem is that while reports of fraudulent use often help identify the merchant data that was compromised, it is not easy to reconstruct the time and place of breach. My understanding is that the data is gathered by the merchant and transmitted to the "acquiring bank" and then the acquiring bank transmits the data in some more or less direct way to the various issuing banks who then bill the cardholders. Thus the data moves around, and while it may be possible to show whose data got compromised, it can be very difficult to identify where and when that compromise occurred, and therefore who is the right party to blame.
Further, data breaches at the merchant level are almost inevitable given the current weaknesses in computer security. Many merchants who conduct large numbers of card transactions do not have full-time network engineers to patch their systems. Thus it is not at all unusual to find the networks of such merchants are not up-to-date with respect to patches. Also, secure password policies are difficult to implement with a large number of sales people who have many responsibilities besides computer security. So again, almost every large organization has weaknesses in its password policy, or if they don't, they need a full time person to help employees access their data when those employees forget their passwords. Finally, it is no mean feat to create effective logging on a network so that events occurring on it can be reconstructed. By definition a compromised network means one on which the data including logs can be changed or deleted. So good logging not only requires creating the data that allows intruders to be detected, but also moving those logs off the target network onto another storage medium that is not subject to such tampering.
So far there seems to be no easy answer, but legislative debates may serve a useful purpose if that debate helps disseminate the facts.

Posted by: Richard Murray | February 23, 2007 12:18 PM

I will positively, absolutely guarantee that if the government charged compnaies whose customer data was compromised $100 per customer, the problem would be solved in less than three months.

Posted by: AK | February 23, 2007 1:03 PM

I will positively, absolutely guarantee that if the government charged compnaies whose customer data was compromised $100 per customer, the problem would be solved in less than three months.

Posted by: AK | February 23, 2007 1:04 PM

The laws should be changed to require the company to immediately send the customer $1000.00 when informing them of a data breach.

This will make the cost of fixing their security much cheaper then the current system of sloppy indifference. Companies get off too cheap when they try to "fix" the problems they caused with 1 year of credit report monitoring.

Posted by: Seymour | February 23, 2007 2:00 PM

Banks and credit cards have no intention of actively fighting identity theft. The % of profits they lose to ID Theft is minuscule compared to the interest charges and bank fees they collect. Look who is fighting against basic ID Theft protection measures like consumers being able to lock up the credit report. Look who fights all credit regulation. Look who collects the equivalent of 25% interest on long-term loans and fails to view that as usury. It will remain up to consumer to protect their credit worthiness and privacy. What is the total credit card interest & fees you are paying each month?

Posted by: thw2001 | February 23, 2007 3:37 PM

Yes, Massachusetts has the right idea. Let's face it, at this point in time, most of the leaks have been at the retail level or at the companies processing retail transactions. If we could get data leaks under control at this level, a large portion of the problem would be eliminated. If the banks and credit card companies start having data leaks of their own once the retail end is in better shape, it can be dealt with on the level of *other businesses have taken steps, why can't banks*. What it comes down to is you have to start somewhere.

Posted by: ebrke | February 23, 2007 4:49 PM

The intent of making the negligent pay for the losses is correct. But it is difficult to tie a breach to subsequent usage of the credit card information since the hackers typically sell of bundles of credit card numbers to different buyers. Consumers will find it inherently difficult to lay the blame on a specific breach since there could be ongoing unknown breaches elsewhere from where the credit card information could have come. The real victims of such theft are those whose credit history is marred and credit reporting organisations have little incentive in helping them out.
It should be illegal to store credit card numbers by ANY organisation other than VISA etc and only direct encrypted communition between VISA and the point of sale should be allowed. This eliminates data compromise due to numerous poorly defended computers.

Posted by: Laura B | February 23, 2007 6:03 PM

Osama bin Laden and your Department of Homeland Security thank you for your data. Thank you Tom Ridge. Thank you George Junior.

Posted by: Jeb's Boehner | February 23, 2007 6:13 PM

I agree with jhw2001, ebrke and Jeb's Boehner -- you can see THE LIGHT!

Posted by: Plum Tired | February 23, 2007 6:55 PM

For uncensored news please go to:


What is 99,289?
That's the number of people who have signed a petition opposing an attack on Iran.
What is 711?
No, it's not a convenience store.
Oh, you didn't think that? See, you're quicker than our unitary executive!
That's right: It's the number of people -- you and your friends -- who have to spend 10 seconds each at

in order for us to be able to announce a total of 100,000 people opposing this looming aggressive and catastrophic war.

Can you help us clear this mark? It's only a number, but it is a number we plan to announce in a big way that could have an impact on a White House and Congress that are already feeling the heat of public pressure and that rarest of forces: journalistic skepticism. But the moment is now. Have you signed the petition?

Posted by: che | February 25, 2007 5:13 AM

Annys-- good piece, and good piece by Ellen. U.S. PIRG's view: Nessa Feddis of the bank association is forgetting that the bank-owned card networks aren't enforcing their own security rules either and that contributes to the problem, so contract enforcement, not legislation, is the answer, as I explain in my blog "Who pays for data breaches?":

Ed Mierzwinski
Consumer Program Director,

Posted by: Ed Mierzwinski | February 26, 2007 6:04 AM

Good points, the merchants should share the burden, but the MA legislation might be going too far, in that it attributes 100% of the responsibility to the merchant regardless of how it happened, if I understand it correctly.

So, will consumers accept being asked for photo ID every time, and for their card being refused if it is not signed? Most people reading this wouldn't find these conditions onerous, but unfortunately the consciencious consumer is not in the majority.

And what of the small merchant who manages to do everything right, yet still submits a purchase on a stolen credit card presented by a sophisticated thief or crime syndicate? I would prefer to see a law that penalizes merchants only if they fail in their due diligence. Otherwise, the problem is likely a systemic one, and that falls squarely on the shoulders of the issuing authorities for not having a more secure system in place, as Mr. Mierzwinski points out. Props to the PIRGs!

Posted by: The Cosmic Avenger | February 26, 2007 11:15 AM

It will only take a few class action lawsuits to make these banks, merchants, etc. get serious about protecting consumer data. Period.

They don't care how much data, or whose data is lost, as long as they make money and can pass the cost on to consumers.

Hit them financially, then you'll see some real changes and protection.

Posted by: sue them all | February 26, 2007 5:35 PM

The comments to this entry are closed.


© 2010 The Washington Post Company