Data security continues to be a struggle for major retailers. Surprisingly, there are still few federal regulations for them to follow if they’re hacked. Without such rules, damage will most likely increase from high-profile breaches such as those that hit Target and Home Depot in the past year or so.
This isn’t to say that the government isn’t trying to deal with the situation.
“I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft and protect our children’s information,” President Barack Obama said in his January State of the Union speech. Also in January, Obama proposed new rules for businesses to follow if they’ve been hacked, including notifying consumers and beefed up privacy protections.
Risks multiply
Obama’s reference to an “evolving threat” is not an empty phrase. As more organizations use cloud-based storage, the risk of online data theft multiplies, according to the Ponemon Institute, a Traverse City, Michigan-based data security researcher. About 43% of business executives who responded to a Ponemon survey reported a data breach at their company last year, up sharply from 33% in 2013, suggesting an uncomfortable reality: Successful hacks are growing more frequent.
With Obama’s legislative proposals on the table and protections already enacted in some states, retailers are feeling the heat to strengthen their procedures. Currently, banks and card issuers carry most of the load following a data breach, including covering many of the resulting fraud losses and other costs. Banking industry groups have asked Congress for some relief by shifting the financial burden.
“All parties must share the responsibility, and the costs, for protecting consumers,” a group of industry associations said in a Feb. 12 letter to lawmakers. “The costs of a data breach should ultimately be borne by the entity that incurs the breach.”
Hacking surges
We’re familiar by now with the multitude of credit and debit cards that were hacked after the Target breach at the end of 2013, but that was far from the worst recent incident. In Target’s case, intruders copied information on about 40 million customer credit and debit cards during in-store transactions. In September, Home Depot said it got hit harder. The number of cards compromised totaled 56 million from April to Sept. 2, the company said.
In the past year alone, at least 20 more big data breaches surfaced and spread beyond retailers. In October, JPMorgan Chase disclosed that contact information for about 76 million households and 7 million small businesses may have been compromised. More recently, health insurer Anthem said personal data had been exposed, including names, birth dates and Social Security numbers for 80 million individuals.
Who pays?
Under federal law, banks and credit unions must notify consumers of any data breach. Protecting customer confidentiality is mandatory, which means replacing compromised accounts and issuing new cards as well as strengthening internal security following a breach.
The Target hack cost credit unions alone $30.6 million, which included issuing 4.6 million credit and debit cards, the Credit Union National Association has said. A California legislative study put the cost to financial institutions at $170 million – and rising – to replace cards and other steps on more than 17 million compromised accounts. The attack on Home Depot resulted in $57.4 million just in credit union costs, according to the CUNA.
Some banks that felt the sting sued Target to force the big retailer to cover at least part of the hack’s costs from fraud and to replace cards. A federal judge in St. Paul, Minnesota, refused Target’s bid to have the case dismissed in December.
Consumer protection
Banks and credit unions are developing new security techniques like multifactor authentication systems and technologies like tokenization to deter and defeat hackers, according to industry groups. Using one-time codes, or tokens, instead of account details during transactions has already been put to use in some payment systems, including Apple Pay. Chipped cards, with EMV microcircuits embossed on the plastic, can also use tokens and keep the account details in encrypted form, making them extremely hard to copy. EMV stands for EuroPay, MasterCard and Visa, which jointly developed the payment technology.
But there are no federal regulations for retailers regarding notification or covering fraud costs instead of forcing consumers to pay them, as there are for banks and card issuers. That’s something the banking industry wants to change.
New standards for retailers
Retailers generally support new rules to require notifying customers about data breaches, according to the National Retail Federation in Washington. Many, such as Home Depot, have stepped up to equip checkout registers with EMV-enabled card readers.
Some states have taken matters into their own hands. There’s a patchwork of 46 state laws dealing with data protection and identity theft. Effective this year, California law requires businesses that maintain personal information to abide by state data security requirements. In the event of a breach, businesses must help Californians for at least a year to resolve any identity theft without charge.
New York isn’t far behind. In January, state Attorney General Eric Schneiderman proposed measures to require disclosure of data breaches involving an expanded category of personal information, such as names, email addresses, passwords and health records instead of just Social Security, driver’s license or account numbers. He also called for a safe-harbor provision that would shield businesses from liability if they go beyond legally required security safeguards.
Disclosure, sharing
In his proposals for new federal rules, President Obama wants to require companies to disclose data breaches to affected consumers within 30 days. More recently, the president signed an executive order that encourages companies to share information about breaches with other businesses to help prevent future attacks.
As federal and state governments make data security a bigger priority, the pressure on retailers to step up their own security and share the responsibility for damage from breaches is greater than ever. After all, with big data comes big responsibility, and preventing hacks from growing even worse concerns consumers nationwide.
Image via iStock.
Source Article :http://bit.ly/19E506D
0 comments:
Post a Comment