BreachExchange mailing list archives
The case for making retailers more accountable to consumers after data breaches
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 10 Oct 2014 14:17:36 -0600
http://www.bizjournals.com/washington/blog/techflash/2014/10/the-case-for-making-retailers-more-accountable-to.html?page=all Barely a week goes by without learning of a new episode of merchant data breaches. Target and Home Depot are not the only stories over the last five years, but they are the most recent and among the most widespread. These breaches have affected hundreds of millions of consumers and yet there has been no financial accountability by the retailers nor any accountability required by Congress. Credit unions, along with other financial institutions, have properly been subject to stringent standards on data security since the enactment of the Gramm-Leach-Bliley Act in 1999. However, the retailers serving hundreds of millions of consumers daily are not held to these same high standards. Unfortunately, as a result of lax, ineffective data management and storage procedures, these retailers are often victims of data breaches with the ultimate victims being their customers. In fact, retailers are not even required to let their customers know that there has been a breach. When such a breach occurs, it is not the retailer who is left to take remedial steps to make the consumer whole. Rather it is the financial institution that must notify the consumer of the compromising of their personal financial data, reimburse lost monies and reissue credit and/or debit cards. In the case of Target, the breach didn’t occur at the point of sale, but rather though a cyber-criminal hacking their systems to access stored consumer data. Each data breach seems to be more expansive — and expensive — than the last. The recent breaches at Target and Home Depot are suspected to have affected close to 100 million consumers each. It is time for Congress to act — to better protect consumers and hold retailers to a similar standard as financial institutions when it comes to protecting sensitive personal data. When data breaches occur, credit unions take the necessary steps to protect their members. Credit unions know what to do because they have seen this happen all too often. They notify their members, work with them to reissue credit and debit cards, increase staff to handle the influx of calls and monitor account activity. All of this does not occur without costs, which are borne by the financial institutions, not the retailers. All participants in the payment process share the responsibility to protect consumer data but current laws don’t hold retailers and merchants to the same accountability and transparency that credit unions and other financial institutions are rightly held to. In the world we live and work in, no system will ever be 100 percent foolproof, but consumers will remain more vulnerable than necessary if Congress fails to hold retailers to the same data-security standards that financial institutions are currently held to. In fact, legislation under consideration in Congress would replace a patchwork of state laws with one national standard for data security breach notification requirements. We all must support enactment of laws that require any business that maintains sensitive personal and financial information — including financial institutions, retailers, and data brokers — to implement, maintain, and enforce reasonable policies that protect the security of sensitive information from unauthorized use. Credit unions are not-for-profit financial cooperatives operating to serve their members and are already subject to stringent consumer protection regulations. It is time for retailers to be held to the same accountability and requirements to protect consumer data.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- The case for making retailers more accountable to consumers after data breaches Audrey McNeil (Oct 20)