Bearing the Cost of Stolen Data
TJX, the parent company of discount retailers TJ Maxx and Marshalls, said Wednesday that the data breach it reported last month is bigger than it first thought.
As my colleague Ellen Nakashima reported yesterday, TJX initially said it was hacked into sometime between May 2006 and January 2007. Now, however, it thinks its computer system was also hacked a whole two years earlier, in July 2005 and on "various subsequent dates" that year.
So much for the laws in more than 30 states that require companies to notify customers as soon as possible after a breach. The company doesn't even know yet how many customers are affected, but estimates it runs into the millions. Already, some customers have seen fraudulent charges appear on their debit and credit card accounts--some by criminals as far away as Hong Kong and Sweden, according to the Wall St. Journal (subscription required). Banks and credit unions have had to cancel hundreds of thousands of credit cards belonging to TJX shoppers. The company is being sued by customers.
Besides consumers, banks are plenty angry because they typically absorb any subsequent credit card fraud losses. Lawmakers in Massachusetts, where TJX is based, think they have an idea about how to get retailers to keep a tighter rein on their customers' information: Make them pay for data breaches.
According to the Wall St. Journal, the proposal in Massachusetts would:
"require companies whose security systems are breached to assume full financial responsibility for any fraud-related losses, costs associated with the canceling and reissuing of cards, and -- in cases of identity theft -- the freezing of accounts and credit information. The bill would apply to any company doing business in Massachusetts, wherever it may be based."
If the law passes, other states could follow suit; even House Financial Services Chair Barney Frank (D-Mass.) is talking about national data security legislation.
Banks are not without blame. Avivah Litan, an analyst for IT research firm Gartner, told Ellen, "banks have to strengthen cardholder authentification so even if the data is stolen, it's useless."
But large retailers could use more incentive to get their acts together since most of them have not complied with a set of voluntary rules for data protection that the credit card industry devised. The rules include encrypting transmission of cardholder data and restricting access to data to those with a "need to know."
As Nessa Feddis, senior federal counsel for the American Bankers Association told Ellen, "retailers are not protecting the data."
Do you think Massachusetts legislators have the right idea? Should retailers be punished for data breaches?
Please email us to report offensive comments.
Posted by: Moose | February 23, 2007 12:16 PM
Posted by: Richard Murray | February 23, 2007 12:18 PM
Posted by: AK | February 23, 2007 1:03 PM
Posted by: AK | February 23, 2007 1:04 PM
Posted by: Seymour | February 23, 2007 2:00 PM
Posted by: thw2001 | February 23, 2007 3:37 PM
Posted by: ebrke | February 23, 2007 4:49 PM
Posted by: Laura B | February 23, 2007 6:03 PM
Posted by: Jeb's Boehner | February 23, 2007 6:13 PM
Posted by: Plum Tired | February 23, 2007 6:55 PM
Posted by: che | February 25, 2007 5:13 AM
Posted by: Ed Mierzwinski | February 26, 2007 6:04 AM
Posted by: The Cosmic Avenger | February 26, 2007 11:15 AM
Posted by: sue them all | February 26, 2007 5:35 PM
The comments to this entry are closed.