The case for making retailers more accountable to consumers after data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bizjournals.com/washington/blog/techflash/2014/10/the-case-for-making-retailers-more-accountable-to.html?page=all

Barely a week goes by without learning of a new episode of merchant data
breaches. Target and Home Depot are not the only stories over the last five
years, but they are the most recent and among the most widespread. These
breaches have affected hundreds of millions of consumers and yet there has
been no financial accountability by the retailers nor any accountability
required by Congress.

Credit unions, along with other financial institutions, have properly been
subject to stringent standards on data security since the enactment of the
Gramm-Leach-Bliley Act in 1999. However, the retailers serving hundreds of
millions of consumers daily are not held to these same high standards.
Unfortunately, as a result of lax, ineffective data management and storage
procedures, these retailers are often victims of data breaches with the
ultimate victims being their customers. In fact, retailers are not even
required to let their customers know that there has been a breach.

When such a breach occurs, it is not the retailer who is left to take
remedial steps to make the consumer whole. Rather it is the financial
institution that must notify the consumer of the compromising of their
personal financial data, reimburse lost monies and reissue credit and/or
debit cards. In the case of Target, the breach didn’t occur at the point of
sale, but rather though a cyber-criminal hacking their systems to access
stored consumer data.

Each data breach seems to be more expansive — and expensive — than the
last. The recent breaches at Target and Home Depot are suspected to have
affected close to 100 million consumers each. It is time for Congress to
act — to better protect consumers and hold retailers to a similar standard
as financial institutions when it comes to protecting sensitive personal
data.

When data breaches occur, credit unions take the necessary steps to protect
their members. Credit unions know what to do because they have seen this
happen all too often. They notify their members, work with them to reissue
credit and debit cards, increase staff to handle the influx of calls and
monitor account activity. All of this does not occur without costs, which
are borne by the financial institutions, not the retailers.

All participants in the payment process share the responsibility to protect
consumer data but current laws don’t hold retailers and merchants to the
same accountability and transparency that credit unions and other financial
institutions are rightly held to. In the world we live and work in, no
system will ever be 100 percent foolproof, but consumers will remain more
vulnerable than necessary if Congress fails to hold retailers to the same
data-security standards that financial institutions are currently held to.

In fact, legislation under consideration in Congress would replace a
patchwork of state laws with one national standard for data security breach
notification requirements. We all must support enactment of laws that
require any business that maintains sensitive personal and financial
information — including financial institutions, retailers, and data brokers
— to implement, maintain, and enforce reasonable policies that protect the
security of sensitive information from unauthorized use.

Credit unions are not-for-profit financial cooperatives operating to serve
their members and are already subject to stringent consumer protection
regulations. It is time for retailers to be held to the same accountability
and requirements to protect consumer data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!