Michaels Breach: Who's Liable?

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.bankinfosecurity.com/articles.php?art_id=3668

By Tracy Kitten
Managing Editor
Bank Info Security
May 22, 2011

A Chicago consumer affected by the Michaels card breach has filed a 
federal lawsuit against the crafts retailer, claiming it should have 
better protected customers' cards from breach and compromise.

Brandi F. Ramundo had more than $1,300 withdrawn from her checking 
account, after reportedly making a debit purchase worth less than $20 at 
Michaels. Her five-count suit seeks class-action status, a jury trial, 
compensatory damages, and consequential and statutory damages. It also 
includes an order for Michaels to pay for card-fraud monitoring services 
for consumers hit by the scam, as well as compensation and punitive 
damages for costs associated with the suit.

Ramundo's suit raises questions about liability after a card breach fraud. 
What role should merchants play, when it comes to ensuring transactional 
security, and how should financial institutions, as card-issuers, fall 
into the fray?

Attorney Randy Sabett, partner and co-chair of the Internet and Data 
Protection practice at law firm SNR Denton LLP, says the liability lines 
are often blurred and hard to define after a breach. Despite that card 
fraud usually occurs outside banking institutions' control, banks and 
credit unions, as the card issuers, usually absorb losses and expenses 
associated with breach recovery.

[...]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/