Who should be liable for data breaches?
It’s hard at the moment to come across a story about Target without the words data breach being mentioned. Reports have chronicled the company’s missteps and failure to react to signs criminals had found a way around its defenses. At the moment, banks and credit card companies are responsible for any losses suffered by individuals that come from data breaches, but if legislation being discussed in California is signed into law, liability would shift to retailers instead.
The legislation being proposed, AB-1710, is designed to limit the information that merchants can collect about customers and also make them responsible for losses resulting from breaches. The bill does allow for "liability to be excused, in whole or in part, if the person or business, can demonstrate compliance with specified provisions at the time of the breach."
"Financial institutions should not be taking the heat for a data breach that occurs at a retailer," Assemblyman Roger Dickinson, one of two co-authors of the bill, told the Los Angeles Times.
Retailers oppose the current legislation. Bill Dombrowski, president of the California Retailers Association, said the language in the bill is too broad. "We’ve got a system in place where we allocate costs based on who is responsible for the problem," he told the LA Times.
- AB-1710 Personal information: privacy – California Legislative Information
- Making retailers liable for damages from hacking – Los Angeles Times
- Proposed bill aims to protect consumers’ private information – KTVU
- Bill Would Protect Californians From Data Breaches – California News Service/East County Magazine
Discussion Questions
Should there be more limits on the type of data that companies can collect about consumers? Should retailers suffering data breaches be responsible for the losses coming from that activity or the involved banks and credit card companies?
Whoever did not protect the data should be responsible for the costs of a data breech. That responsibility previously rested on the shoulders of the financial community. If a retailer does not take adequate steps to protect customer data, and if that data is stolen, the retailer should be liable. That said, retailers and financial institutions need to both step up security measures.
Mag stripe cards need to be replaced by chip and pin. Social security numbers should be uncoupled from retail data and should not be sold.
With liability comes responsibility. Target should have done more to prevent the massive fraud experienced by its customers. Instead, it was arrogant and slow to act. Retailers need to accept more responsibility, a burden that should not fall solely on financial institutions.
This one is simple. Who is responsible for protecting the data? If it is the retailer and the data is breached, the retailer pays the consequences. Perhaps, next time they will be more diligent.
Alas, the Left Coast is about to create another juicy opportunity for trial lawyers. We can only hope that the insanity of their misguided jurisprudence remains within their own boundaries.
Consumers have a right to expect privacy of their personal and financial matters. They don’t have a right, nor should they feel they will be forever free from charlatans who thieves practicing data breaches (or the other kinds who practice law).
Retailers and banks have to work together to be certain that they are taking the effective steps to assure confidence the consumer can have when making a transaction. As we continue the steady shift to cashless practices — making greater use of credit cards, debit cards, and digital payments — it is in the best interests of businesses to cooperate together. Another “law” is not going to solve that issue. As Mr. Dombrowski points out, we have that system in place.
Who should be liable for data breaches? The hackers orchestrating or performing the breaches and the fraudsters using the stolen data.
Should there be more limits on the type of data that companies can collect about consumers? Yes BUT the limits need to be thought out as blocking some information could lead to higher fraud risk. I’ve seen some states and countries enact limits that prevent merchants from performing proper risk controls. Heck, the card brands create some of the fraud issues themselves with wording in the merchant agreements not allowing merchants to perform an ID check.
Should retailers suffering data breaches be responsible for the losses coming from that activity or the involved banks and credit card companies? Yes and no and I would only say yes if the merchant was shown to be grossly negligent and the damages would only be up to the point the breach was reported.
You have to remember there is no such thing as 100% secure. Simply creating laws making merchants MORE liable does not solve the issue — hackers will continue to hack. At some point, as more and more liability shifts to merchants, merchants will revolt and simply not accept payment instruments that come with high risk — like magnetic stripes and even the currently defined EMV. EMV, while great for preventing forged cards, does not protect the Primary Account Number (PAN) which can be used for card-not-present transactions.
Finally, has anyone thoroughly read the PCI requirements for a merchant AND have any experience being a merchant? If so you would realize that the statement: “liability to be excused, in whole or in part, if the person or business, can demonstrate compliance with specified provisions at the time of the breach” as red herring. One of the unwritten goals of PCI is to protect the card brands. I believe it’s all but impossible for any merchant to be 100% compliant 100% of the time especially considering the subjective nature of many of the requirements.
The catch, of course, is that (the information contained in) stored data can also be used to verify identity…hence preventing fraud. No one here is a lawyer – and even if someone was, there’s not sufficient time to analyze the bill before commenting, so it’s difficult to address this specific effort. Suffice it to say, if everyone was satisfied with existing procedures we wouldn’t be having this conversation. Hopefully the bulk of efforts will be directed toward preventing problems, rather than in paying for them after they happen.
Isn’t this why there is insurance? If retailers are concerned about being responsible for data breach, there are safeguards. Companies like AllClear ID will actually insure every customer for, literally, just a few pennies per customer. This should give confidence to the customer as well as the retailer.
The CEO, COO and the Chairman of the Board. If data is breached for any reason, it is because these three entities made a decision that funding proper protection wasn’t necessary. I would suggest a jail sentence of 2 to 5 years.
Sorry Ed, I have to strongly disagree. There is no such thing as 100% security. As long as there are hackers, breaches will occur. Assuming that all breaches are due to lack of funding for security or gross carelessness equates to assuming that all rape victims are simply careless and should have done more to protect themselves. Mandating that CEOs, COO or board members go to prison for breaches would simply eliminate the acceptance of plastic — both credit and debit — and change us back to a pure cash society.