The battle over who is going to pay for data breaches heats up

The TJX data breach (45 million records and counting) is rapidly turning out to be the straw that broke the camel's back. Everyone seems to be worried about, who is going to bear the financial burden that data breaches are causing.

Cleve Doty at PrivacySpot.com writes:

Retailers will be forced to pay for data compromises when they violate industry standards of data protection under a new Minnesota law, detailed here. California and Texas are considering similar legislation, as noted here and here. The Minnesota law adopts Payment Card Industry Association (PCIA) data protection standards, which require that companies not retain data from a card, including security codes, PINs, and magnetic strip data, for more than 48 hours after a transaction is approved. If a data breach occurs and the retailer failed to comply with the card security protocol, then they will have to pay costs including: refunds for unauthorized purchases, reissuing cards, notifying cardholders, and closing and reopening accounts.

The article also stipulates that retailers could be charged for excessive fraud transactions that occur on their premises.

This interested me, especially given the recent criticism Target -- who has it's headquarters in Minnesota -- recently received for not verifying credit card transactions. Will this make them change their policy of ONLY relying on electronic data (magnetic stripe info) when accepting payment cards? Currently, they do not train their employees to check cards, or ask for identification.

The other strange thing at Target is that, although they've tightened up their return policy, they will gladly look up your payment card number (credit/debit) card to assist you in completing a refund. One of the basics of protecting a lot of this information is that it isn't stored for a long time?

One of the more common and most publicized losses by retailers are when thieves commit fraudulent refunds. I wonder how much merchandise is being stolen using fraudulent payment devices, then refunded?

Today, I'm picking on retailers, but the fact is that data breaches are occurring at a lot of places. For instance, institutions of higher learning, seem to be breached all the time. Furthermore, if you follow what tracking is available on data breaches (Privacy Rights Clearinghouse, Attrition.org, PogoWasRight), the financial services sector has had their share of breaches, also.

It amazes me that since the TJX breach, there has been a lot of focus on merchants. Sadly enough, this legislation will probably hurt smaller merchants more than it will larger ones.

Merchants feel strongly that the credit card companies have been unfairly charging them for a lot of things, including fraud. Recently, I did a post about a Merchant Bill of Rights, where merchants are banding together to fight for a better deal when dealing with the credit card industry.

Meanwhile, the deadline is looming for federal agencies to come up with a plan to address data breaches. Government agencies seem to be having their share of breaches, also.

We'll probably see a lot of infighting between all the different sectors being breached. Everyone seems to be worried about, who gets to pay for all of it, and how it might detract from all the money they've been making off people's personal information.

Maybe it would be better if everyone involved started working as a team and going after the real problem, which is that information is too easy to access and criminals are making too much money by stealing it.


Full story from PrivacySpot.com, here.