Proposed Mass. law targeting retailers for breaches gets mixed response

Computerworld - A proposed Massachusetts bill that would hold retailers financially liable to card-issuing banks for the costs of a security breach is getting a decidedly mixed reaction from different quarters.

Some see it as the somewhat inevitable fallout from a seemingly never-ending spate of data breach disclosures. Others are blasting the proposed plan as unfairly penalizing retailers while letting banks and credit card companies off the hook.

Democratic state Rep. Michael Costello proposed the legislation. It would require retailers that suffer a data breach to reimburse card-issuing banks for the costs involved in blocking and re-issuing cards, closing and opening new accounts, and any other measures they're forced to take because of the breach. Until now, banks and credit unions have typically been forced to assume those costs, which sometimes total more than $30 per card.

The Massachusetts bill is the first of its kind to be proposed in the country, though similar legislation is being considered at the federal level, too. The bill's fate is uncertain and, if it does win approval, it would actually apply to all businesses, including banks and card processing companies operating in Massachusetts, regardless of where they are based.

But it is retailers who are seen as the main targets of the measure, especially since it comes in the aftermath of a massive data breach at The TJX Companies Inc. and a somewhat less serious one at Stop & Shop Supermarket Co.

"This is what happens if industry doesn't respond fast enough to [information security] challenges," said Brian Kilcourse, president of the Retail Systems Alert Group, a Newton, Mass.-based consultancy. A recent survey by the company showed that about 43% of retailers still don't have any sort of incident response plan to deal with breaches such as the one that hit TJX.

"It isn't a far stretch of the imagination to think that if the industry cannot regulate itself and cannot follow commercial standards, such as [the Payment Card Industry Data Security Standard], that the government will step in," he said. And the consequence of government intervention could wind up being "something like" the information security requirements required by the Sarbanes-Oxley law, he said.

"It's impressive that Massachusetts has taken the first step forward" in dealing with retail security issues, said Alex Bakman, chief technology officer at security vendor Ecora Software Corp. Despite a considerable push by credit card companies, such as Visa International Inc. and MasterCard International Inc., to push adoption of PCI, a large number of retailers remain noncompliant, he said.

"Unfortunately, in the retail community, they are all trying to keep a lid on any kind of expenditures" and have paid scant attention to information security, he said. "I am very much for this legislation. I think it was inevitable."