U.S. PIRG Consumer Blog: Who pays for data breaches?

Of course, it's consumers who pay, in stress and hassles, fraud and identity theft and higher costs for goods, credit and services. But recently, the massive breach at Massachusetts-based TJX companies has made the Massachusetts legislature a flash-point in a long simmering feud between banks and merchants over who should pay for data breach notifications, issuance of new credit and debit cards and fraud or identity theft-related benefits to consumers, such as credit monitoring or security freezes. The smaller banks (and credit unions), feel caught in the middle and blame the merchants and third-party payment processors. They want the law to explicitly force the merchants and processors to compensate them, but in our view the problem of whose fault it is may be too complex to be resolved in state or federal law and should remain a matter of contract law. What if the big credit card companies (that often provide cards to the smaller banks and credit unions) or the card networks owned by the banks (Visa and Mastercard associations) aren't enforcing their own rules? Shouldn't they have partial fault? The problem is discussed in stories in both the Wall Street Journal and the Washington Post today.

[a Massachusetts bill] would mandate that companies whose security systems are breached assume full financial responsibility for any fraud-related losses, costs associated with the canceling and reissuing of cards, and -- in cases of identity theft -- the freezing of accounts and credit information. The bill would apply to any company doing business in Massachusetts, wherever it may be based.

In a Washington Post story today, Customer Data Breach Began in 2005, TJX Says, Ellen Nakashima reports that "the credit card industry has set up rules for data protection called the Payment Card Industry Data Security Standard." But while one well-known data security expert, Avril Litan of the Gartner Group told Nakashima that most retailers, especially small retailers, are not following these rules:

Litan said the retailers are not solely to blame. "It's a collective problem with collective responsibility," she said. "Certainly the retailers have to tighten up their systems, but the banks have to strengthen cardholder authentication so even if the data is stolen, it's useless."

The Journal story reports that banks and bank payment networks are finally increasing the penalties that they impose on rule violators. It's about time, as I have previously noted. And as Litan points out, the banks and bank networks need to shoulder a bigger part of the authentication load. So do the credit bureaus, which abet the banks (and other creditors, including cell phone companies) in their sloppy issuance of new credit to identity thieves, many still in short pants. Because, really, it's consumers who pay, eventually.