Who's mining the store? Retailers may soon be compelled to reimburse banks for the costs of data breaches.Key Points * State and federal lawmakers are considering whether to compel retailers to reimburse re·im·burse tr.v. re·im·bursed, re·im·burs·ing, re·im·burs·es 1. To repay (money spent); refund. 2. To pay back or compensate (another party) for money spent or losses incurred. banks for costs incurred when customer credit card numbers are stolen. * Some 92% of banks surveyed said they have reissued credit cards to customers due to a data breach. * Retailers constitute a growing proportion of the market for information security insurance. Retailing may soon become a far riskier business. Pressure is growing on state and federal lawmakers to require retailers to reimburse banks for many of the costs incurred when customer information--particularly credit card numbers--is stolen. The insurance industry has taken notice, with information security policies being introduced in the past few years to address liability problems related to a significant security breach. Two recent developments hint at the potential scale of this liability. The first was the widely publicized pub·li·cize tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es To give publicity to. Adj. 1. publicized - made known; especially made widely known publicised theft of credit and debit card debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. information from subsidiaries of Massachusetts-based retailing group TJX Cos. The theft of more than 45 million credit and debit card numbers, believed to be the largest ever, allegedly occurred in 2005 and 2006 but did not come to light until tiffs past December, 18 months after the initial intrusion. Its impact is still being assessed. The second development took the form of a survey conducted by the America's Community Bankers trade association among its more than 1,000 member banks, just after the TJX security breach was revealed. An astonishing a·ston·ish tr.v. as·ton·ished, as·ton·ish·ing, as·ton·ish·es To fill with sudden wonder or amazement. See Synonyms at surprise. 92% of the 181 respondents said they had reis sued credit cards to customers affected by a data breach, and 70% said they had taken such action three times or more in the previous 24 months. Estimates vary widely as to the cost of reissuing a stolen or compromised credit card. The ACB ACB American Council of the Blind ACB Asia Commercial Bank ACB America's Community Bankers ACB Adjusted Cost Base ACB Alliance for the Chesapeake Bay ACB Amphibious Construction Battalion (US Navy) ACB Australian Cricket Board puts it at $10 to $20 per card; AmeriFirst Bank AmeriFirst Bank was formed in June 1997 by the merger of the American National Bank and the First National Bank, both independent community banks located in Union Springs, Alabama. These two banks were successfully merged into what is now known as USAL Bancorp, Inc. Inc., which has sued TJX over the security breach, estimates $20; and the Massachusetts Bankers' Association says it's "up to $25" per card. Whatever the figure, the cumulative impact on a large or midsize retailer could be substantial if the retailer's liability for such costs were established. Under current law, it is not always clear where liability falls. In 2005 a Pennsylvania court dismissed a suit brought against BJ's Wholesale Club BJ's Wholesale Club, Inc. NYSE: BJ is a membership-only warehouse club chain operating in the East Coast of the United States, as well as in the state of Ohio. History Inc. by Sovereign Bank, which had been obliged o·blige v. o·bliged, o·blig·ing, o·blig·es v.tr. 1. To constrain by physical, legal, social, or moral means. 2. to reissue re·is·sue v. re·is·sued, re·is·su·ing, re·is·sues v.tr. To issue again, especially to make available again. v.intr. To come forth again. n. 1. cards following a massive data breach at the retailer. This has not deterred banking associations from suing TJX in Massachusetts. Regulatory Initiatives Whatever the uncertainties of current law, the picture may soon become clearer. Massachusetts legislators are considering a bill that world require retailers to reimburse banks for a variety of costs following a data breach. In late May, Minnesota became the first state to pass a law, the Plastic Card Security Act, that imposes a statutory liability on retailers to reimburse card issuers in certain circumstances. The card issuers' right to such reimbursement Reimbursement Payment made to someone for out-of-pocket expenses has incurred. begins Aug. 1, 2008. And at the federal level, the America's Community Bankers group is lobbying for a "national standard for ... reasonable reimbursement of the costs community banks incur to protect consumers when there is a breach at a company." It is not clear how much action can be anticipated from Washington. To date, the principal legislative effort has focused on simply requiring the source of data breaches to be disclosed to consumers. This has not always been the case. Notified of data breaches by MasterCard and Visa, banks often have been unable to tell customers where the breaches occurred. Legislation introduced in 2005 by U.S. Rep. Barney Frank Barnett "Barney" Frank (born March 31, 1940) is an American politician and a member of the United States House of Representatives. He is a Democrat and has represented Massachusetts's At-large congressional district since 1981. , D-Mass., chairman of the House Financial Services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. Committee, and two other Democrat representatives was designed to address this. There is a line between identifying a retailer as the victim of a data breach and requiring the same retailer to bear costs incurred by third parties. Frank seemed to blur that line in January,, after the TJX losses began to emerge. "Those institutions where breaches have occurred must be identified, and they must bear responsibility," he said. "Specifically, this means retailers or wholesalers must take responsibility, contrary to what common practice is today." The costs incurred by retailers following data breaches are already considerable. Data broker ChoicePoint reported charges of $11.4 million in 2005 relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc the theft of data from 145,000 customer accounts. IT research and consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a Gartner, Inc. has estimated the additional expense of strengthening ChoicePoint's systems would bring the total cost from the breach up to $90 per account affected. Assessing Liability It is hard to say which types of retailers are most vulnerable. The largest firms may appear the most attractive targets because, once successfully breached, they offer the biggest payoff. But smaller firms may be easier targets if they lack best practices for network security risk management. For effective risk management, state of the art technology is only part of the stoW. The main vulnerability lies with the acts or omissions of human beings, not with the sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. of IT systems. Some protection against data theft is afforded by the Payment Card Industry Data Security Standard, which took effect in June 2005. The standard establishes both technological and procedural requirements for all merchants accepting MasterCard or Visa payments and threatens noncompliant merchants with fines up to $500,000 per incident if their data are compromised. However, some network security experts question the process that enables most retailers to claim compliance with PCI (1) (Payment Card Industry) See PCI DSS. (2) (Peripheral Component Interconnect) The most widely used I/O bus (peripheral bus). standards. Only companies processing more than 6 million MasterCard or Visa transactions annually must undergo formal PCI compliance audits conducted by trained security specialists. All others simply have to answer a series of yes/no self-assessment questions. The final defense is risk transfer via insurance. The market for information security insurance has been growing rapidly in recent years, and total market premiums from this class am now likely to exceed $100 million. Retailers constitute a growing proportion of the client base. The coverage, which can be provided for up to $20 million in limits on a primary basis, is mainly available in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. through the surplus lines market. Insureds are protected against liability to third parties for financial losses incurred by the third parties due to a breach of the insured's security systems. Such a breach may derive from a hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. external to the company, but losses due to disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employees or consultants also are covered. Over the past few years, a number of insurers, including Beazley, have been offering this coverage in tandem Adv. 1. in tandem - one behind the other; "ride tandem on a bicycle built for two"; "riding horses down the path in tandem" tandem with privacy liability coverage. This does not require a technical security breach and covers losses arising from the unauthorized disclosure of personal information, such as credit card numbers or health-care records. Insurance of these kinds can provide coverage for the risk that retailers retain, no matter how robust their risk management precautions precautions Infectious disease The constellation of activities intended to minimize exposure to an infectious agent; precautions imply that the isolation of an infected Pt is optional, but not mandatory. . Critical 'Mass' A bill being considered by Massachusetts legislators would require retailers to reimburse banks for the following costs related to data breaches: * The cancellation or reissuance of affected credit cards; * The closure of any deposit, transaction, share draft, or other account and any action to stop payments or block transactions with respect to any such account; * The opening or reopening of any deposit, transaction, share draft, or other account for any customer of the bank; and * Any refund or credit made to any customer of the bank as a result of unauthorized transactions. By the Numbers: data security 181 Number of respondents to America's Community Bankers member survey. 70% Percentage of respondents who said their bank had to reissue cards due to data breaches three times or more in the past 24 months. 39% Percentage who said their bank had to reissue cards more than five times in the past 24 months. 89% Percentage of the debit card issuers that said their customers had been affected by a data breach. 53% Percentage of the credit card issuers that indicated their customers had been affected by a data breach. 92% Percentage of respondents that had reissued cards to customers who were affected by a data breach. Source: America's Community Bankers member survey conducted between Jan. 26 and Feb. 5. 2007. Bob Wice is an E&O underwriter at Beazley, focusing on technology, media and professional liability accounts. He can be reached at bob.wice@beazley.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion