Late last year, Target stores experienced a major security breach resulting in the loss or compromise of as many as 110 million customer credit card numbers. According to the KrebsOnSecurity.com website, these credit card numbers have flooded the black market and are selling in huge batches of as many as a million card numbers. But if not for tech blogger Brian Krebs, Target and merchants like them could have waited weeks or months to inform their customers of the breach.
Target CEO Gregg Steinhafel confirmed the breach four days after Krebs reported it. Steinhafel has not stated when he first became aware of the problem. And, that wasn’t illegal. High end merchant Nieman-Marcus and three other stores also reported security breaches during the holiday season.
In the U.S., 46 of the 50 states have laws requiring companies to report information security breaches. But, the problem is that the wording of the laws leaves a lot of wiggle room for merchants to delay reporting the loss of information. Many states allow for delays so that the breaches can be investigated. But, the question still remains, how long to wait before letting customers know so they can protect themselves? What about shareholders in public companies? When should they be notified that the stock price is about to take hit when the breach becomes public?
Co3 Systems General Counsel Grant Redmon states that “some breached organizations actually seek out law enforcement agencies that will be the most amenable to and flexible in allowing an organization to delay its notification responsibilities for extended periods of time.” Co3 assists companies with data privacy regulations.
According to the former head of cyber-crime for the U.S. Attorney General in New York, Joseph DeMarco, “It’s a judgment call.”
Demarco says that it takes time for a company to investigate and determined what happened.
“A breach investigation could take weeks or months before you know enough to have a legal obligation to disclose,” he said.
California was the first state to pass a law regarding information breach notification. Many other states and the District of Columbia have followed suit. But, that has created another problem. Many corporations find it difficult to comply with the laws of all the states they may do business in.
Since there are no federal laws regarding data breaches, states have taken the lead. As a result of the Target Stores breach, attorney generals in several states have begun a multi-state investigation that includes as many as 30 states. The big question that needs to be answered is what did Target know and when did they know it? One federal agency that is asking that question is the Secret Service.EPIC) in Washington, D.C. says, “It’s definitely true that there has been a vacuum at the federal level in terms of privacy legislation.”
But, that vacuum may be leaking. U.S. Senator Patrick Leahy (D-Vt.) has introduced a bill requiring stronger and more responsive action by businesses suffering data breaches. Leahy’s bill is not his first attempt to deal with these breaches at the federal level. The Personal Data Privacy and Security Act was first introduced in 2005 and has since been re-introduced five times. Written by Leahy, the bill would require a national standard for data breach notification and mandate that companies increase their security when dealing with consumer information. The bill also increases the penalty for the willful concealment of data breaches.
The data breaches at Target and Neiman Marcus have sparked a flurry of activity on Capitol Hill. Sens. Tom Carper (D-Del.) and Roy Blount (R-Mo.) introduced a new version of the Data Security Act of 2014. The bill did not get much attention during the last Congress and failed to get to the floor. If voted into law, the bill would apply to businesses that take credit and debit card information, data marketers that collect consumer information, and government agencies in possession of non-public personal information.
Both bills are intended to create a national standard for breach notification to replace the multiple and sometimes competing state laws. The Carper-Blount bill would also require businesses and federal agencies to investigate the scope of the breach, the information compromised, whether it could be used for financial fraud and identity theft, and require notification to law enforcement and national credit reporting agencies if the breach affects more than 5,000 people.
One reason for the difficulty in passing an effective data security bill is competing priorities and territorial disputes. The Leahy Bill is being tabled in the Senate Judiciary Committee where he is the head while the Carper-Blout bill is being considered in the Senate Banking Housing and Urban Affairs Committee. Yet another bill, introduced by Sen. Toomey (R-Pa.) is being considered in the Senate Commerce Committee.
According to a report from Ponemon Institute, sponsored by Symantec, the average cost to a U.S. company for a data breach is $5.4 million. The U.S. and Germany had the most expensive breaches, costing companies as much as $188 per record in 2012. That number is down from $194 in 2011.Sens. Tom Carper, Roy Blount introduced a new version of the Data Security Act to protect consumers.
But, the most damaging cost of a security breach is customer loyalty.
According to a Harris Interactive poll conducted for Cintas Corporation, two-thirds of respondents said they would leave a company if they found their information was compromised or stolen.
“With every data breach comes a cost, including lost productivity, a damaged reputation, and most importantly, decreased revenue when customers take their business elsewhere,” said John Otten, Marketing Manager, Cintas. “This research confirms that by failing to make security a priority, businesses can discourage once-loyal customers from returning. It could also stop potential customers from ever patronizing your business.”
Banks and financial institutions seem to be the most vulnerable to consumer anger with 55% of respondents saying they would take their business elsewhere.
As result of the data breaches at Target and Neiman-Marcus, there will no doubt be a storm of lawsuits. But, unfortunately class action lawsuits against companies with data breaches often fail in the courtroom. According to the Columbia Business Law Review, many data loss cases are lost because plaintiffs fail to prove standing or that an actual loss occurred. Courts are having difficulty reconciling the loss of data with the actual loss of money.
However, this does not mean Target and other merchants will get off easy. The potential cost to the giant retailer could reach into the hundreds of millions of dollars. According to Eric Mazur, Managing Director of Huron Consulting Group, “the cost to Target could be astronomical.”
Larry Ponemon, Chairman of Ponemon Institute, believes Target’s data breach could cost the company “around $760 million.”