Proposed Mass. law targeting retailers for breaches gets mixed response

Bankers say they're left footing the bill for retailer security mistakes

A proposed Massachusetts bill that would hold retailers financially liable to card-issuing banks for the costs of a security breach is getting a decidedly mixed reaction from different quarters.

Some see it as the somewhat inevitable fallout from a seemingly never-ending spate of data breach disclosures. Others are blasting the proposed plan as unfairly penalizing retailers while letting banks and credit card companies off the hook.

Democratic state Rep. Michael Costello proposed the legislation. It would require retailers that suffer a data breach to reimburse card-issuing banks for the costs involved in blocking and re-issuing cards, closing and opening new accounts, and any other measures they're forced to take because of the breach. Until now, banks and credit unions have typically been forced to assume those costs, which sometimes total more than $30 per card.

The Massachusetts bill is the first of its kind to be proposed in the country, though similar legislation is being considered at the federal level, too. The bill's fate is uncertain and, if it does win approval, it would actually apply to all businesses, including banks and card processing companies operating in Massachusetts, regardless of where they are based.

But it is retailers who are seen as the main targets of the measure, especially since it comes in the aftermath of a massive data breach at The TJX Companies Inc. and a somewhat less serious one at Stop & Shop Supermarket Co.

"This is what happens if industry doesn't respond fast enough to [information security] challenges," said Brian Kilcourse, president of the Retail Systems Alert Group, a Newton, Mass.-based consultancy. A recent survey by the company showed that about 43% of retailers still don't have any sort of incident response plan to deal with breaches such as the one that hit TJX.

"It isn't a far stretch of the imagination to think that if the industry cannot regulate itself and cannot follow commercial standards, such as [the Payment Card Industry Data Security Standard], that the government will step in," he said. And the consequence of government intervention could wind up being "something like" the information security requirements required by the Sarbanes-Oxley law, he said.

"It's impressive that Massachusetts has taken the first step forward" in dealing with retail security issues, said Alex Bakman, chief technology officer at security vendor Ecora Software Corp. Despite a considerable push by credit card companies, such as Visa International Inc. and MasterCard International Inc., to push adoption of PCI, a large number of retailers remain noncompliant, he said.

"Unfortunately, in the retail community, they are all trying to keep a lid on any kind of expenditures" and have paid scant attention to information security, he said. "I am very much for this legislation. I think it was inevitable."

Others, though, had a different take.

Jon Hurst, president of the Retailers Association of Massachusetts, blasted the idea and said it is unreasonable to assign 100% of the costs incurred from security breaches on retailers alone.

"We, of course, strongly oppose it," he said. To put in a state law and have it favor the banks is "sending money one way," he said. "That's just plain wrong and we can't accept that," especially because there are multiple parties involved in a payment card transaction.

While retailers need to shore up security, card-issuing banks have their own responsibility for improved user authentication and for reducing fraudulent card use on their networks, Hurst said. "It would be one thing if the issuing banks were also held 100% responsible [for losses incurred by retailers] when a card is fraudulently used."

What also makes the proposed bill egregious is the fact that credit card companies and banks are already recovering fraud-related costs upfront from retailers via the so-called interchange fees associated with card use, he said. Contractual agreements between all parties in the payment card chain also ensure that merchants that suffer breaches already pay for the costs involved in dealing with it.

"What the bill is suggesting is a third level of recovery and that is just unacceptable," Hurst said.

John Pescatore, an analyst at Gartner Inc., echoed similar concerns.

"Okay, merchants should be doing a much better job of protecting their data and that is why there's PCI," Pescatore said. But credit card companies and banks also need to do more to make payment card transactions more secure via measures such as the PIN and chip-based transactions that are already in use in Europe. So far, though, they have been unwilling to make the investments necessary for those kinds of measures and instead appear more keen to go after retailers who already bear a lot of the costs, he said.

"I think this is a reactive piece of legislation," said Cathy Hotka, president of Cathy Hotka & Associates, a retail consultancy in Washington. "I am not sure how persuasive the argument is to punish retailers," when so many others are also involved in a payment card transaction, she said.

Adam Martignetti, chief of staff at Costello's office, said the impetus for the bill comes from growing identity theft concerns spawned by breaches such as the one disclosed by TJX. "This came out of our conversations with the Massachusetts Bankers Association," he said. "We just felt there was a need for an incentive for all people who hold [customer data] to hold it safely and securely with all the right security protocols that are available. If that incentive had to be a financial one, then so be it."

The proposal has been sent to the Consumer Protection Committee, which will hold public hearings and make a recommendation on whether it should be voted on, Martignetti said. Similar legislation was proposed by Costello two years ago, but that bill never made it to the House floor for a vote. This time around, it should get more attention because of the concerns sparked by the TJX incident, he said.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon