Printer Friendly

Who's mining the store? Retailers may soon be compelled to reimburse banks for the costs of data breaches.

Key Points

* State and federal lawmakers are considering whether to compel retailers to reimburse banks for costs incurred when customer credit card numbers are stolen.

* Some 92% of banks surveyed said they have reissued credit cards to customers due to a data breach.

* Retailers constitute a growing proportion of the market for information security insurance.

Retailing may soon become a far riskier business. Pressure is growing on state and federal lawmakers to require retailers to reimburse banks for many of the costs incurred when customer information--particularly credit card numbers--is stolen. The insurance industry has taken notice, with information security policies being introduced in the past few years to address liability problems related to a significant security breach.

Two recent developments hint at the potential scale of this liability. The first was the widely publicized theft of credit and debit card information from subsidiaries of Massachusetts-based retailing group TJX Cos. The theft of more than 45 million credit and debit card numbers, believed to be the largest ever, allegedly occurred in 2005 and 2006 but did not come to light until tiffs past December, 18 months after the initial intrusion. Its impact is still being assessed.

The second development took the form of a survey conducted by the America's Community Bankers trade association among its more than 1,000 member banks, just after the TJX security breach was revealed. An astonishing 92% of the 181 respondents said they had reis sued credit cards to customers affected by a data breach, and 70% said they had taken such action three times or more in the previous 24 months.

Estimates vary widely as to the cost of reissuing a stolen or compromised credit card. The ACB puts it at $10 to $20 per card; AmeriFirst Bank Inc., which has sued TJX over the security breach, estimates $20; and the Massachusetts Bankers' Association says it's "up to $25" per card. Whatever the figure, the cumulative impact on a large or midsize retailer could be substantial if the retailer's liability for such costs were established.

Under current law, it is not always clear where liability falls. In 2005 a Pennsylvania court dismissed a suit brought against BJ's Wholesale Club Inc. by Sovereign Bank, which had been obliged to reissue cards following a massive data breach at the retailer. This has not deterred banking associations from suing TJX in Massachusetts.

Regulatory Initiatives

Whatever the uncertainties of current law, the picture may soon become clearer. Massachusetts legislators are considering a bill that world require retailers to reimburse banks for a variety of costs following a data breach. In late May, Minnesota became the first state to pass a law, the Plastic Card Security Act, that imposes a statutory liability on retailers to reimburse card issuers in certain circumstances. The card issuers' right to such reimbursement begins Aug. 1, 2008. And at the federal level, the America's Community Bankers group is lobbying for a "national standard for ... reasonable reimbursement of the costs community banks incur to protect consumers when there is a breach at a company."

It is not clear how much action can be anticipated from Washington. To date, the principal legislative effort has focused on simply requiring the source of data breaches to be disclosed to consumers. This has not always been the case. Notified of data breaches by MasterCard and Visa, banks often have been unable to tell customers where the breaches occurred. Legislation introduced in 2005 by U.S. Rep. Barney Frank, D-Mass., chairman of the House Financial Services Committee, and two other Democrat representatives was designed to address this.

There is a line between identifying a retailer as the victim of a data breach and requiring the same retailer to bear costs incurred by third parties. Frank seemed to blur that line in January,, after the TJX losses began to emerge. "Those institutions where breaches have occurred must be identified, and they must bear responsibility," he said. "Specifically, this means retailers or wholesalers must take responsibility, contrary to what common practice is today."

The costs incurred by retailers following data breaches are already considerable. Data broker ChoicePoint reported charges of $11.4 million in 2005 relating to the theft of data from 145,000 customer accounts. IT research and consulting firm Gartner, Inc. has estimated the additional expense of strengthening ChoicePoint's systems would bring the total cost from the breach up to $90 per account affected.

Assessing Liability

It is hard to say which types of retailers are most vulnerable. The largest firms may appear the most attractive targets because, once successfully breached, they offer the biggest payoff. But smaller firms may be easier targets if they lack best practices for network security risk management.

For effective risk management, state of the art technology is only part of the stoW. The main vulnerability lies with the acts or omissions of human beings, not with the sophistication of IT systems. Some protection against data theft is afforded by the Payment Card Industry Data Security Standard, which took effect in June 2005. The standard establishes both technological and procedural requirements for all merchants accepting MasterCard or Visa payments and threatens noncompliant merchants with fines up to $500,000 per incident if their data are compromised.

However, some network security experts question the process that enables most retailers to claim compliance with PCI standards. Only companies processing more than 6 million MasterCard or Visa transactions annually must undergo formal PCI compliance audits conducted by trained security specialists. All others simply have to answer a series of yes/no self-assessment questions.

The final defense is risk transfer via insurance. The market for information security insurance has been growing rapidly in recent years, and total market premiums from this class am now likely to exceed $100 million. Retailers constitute a growing proportion of the client base. The coverage, which can be provided for up to $20 million in limits on a primary basis, is mainly available in the United States through the surplus lines market. Insureds are protected against liability to third parties for financial losses incurred by the third parties due to a breach of the insured's security systems. Such a breach may derive from a hacker external to the company, but losses due to disgruntled employees or consultants also are covered.

Over the past few years, a number of insurers, including Beazley, have been offering this coverage in tandem with privacy liability coverage. This does not require a technical security breach and covers losses arising from the unauthorized disclosure of personal information, such as credit card numbers or health-care records.

Insurance of these kinds can provide coverage for the risk that retailers retain, no matter how robust their risk management precautions.

Critical 'Mass'

A bill being considered by Massachusetts legislators would require retailers to reimburse banks for the following costs related to data breaches:

* The cancellation or reissuance of affected credit cards;

* The closure of any deposit, transaction, share draft, or other account and any action to stop payments or block transactions with respect to any such account;

* The opening or reopening of any deposit, transaction, share draft, or other account for any customer of the bank; and

* Any refund or credit made to any customer of the bank as a result of unauthorized transactions.

By the Numbers: data security

181 Number of respondents to America's Community Bankers member survey.

70% Percentage of respondents who said their bank had to reissue cards due to data breaches three times or more in the past 24 months.

39% Percentage who said their bank had to reissue cards more than five times in the past 24 months.

89% Percentage of the debit card issuers that said their customers had been affected by a data breach.

53% Percentage of the credit card issuers that indicated their customers had been affected by a data breach.

92% Percentage of respondents that had reissued cards to customers who were affected by a data breach.

Source: America's Community Bankers member survey conducted between Jan. 26 and Feb. 5. 2007.

Bob Wice is an E&O underwriter at Beazley, focusing on technology, media and professional liability accounts. He can be reached at
COPYRIGHT 2007 A.M. Best Company, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2007, Gale Group. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Regulatory/Law: Credit Card Data
Author:Wice, Bob
Publication:Best's Review
Date:Aug 1, 2007
Previous Article:ERM: central element: senior insurance company management is recognizing ERM as an important safeguard of shareholder value and financial stability.
Next Article:Hot topic: insurers must be ready to defend lawsuits blaming global warming on greenhouse gas emissions.

Related Articles
Debit cards canceled after security breach; Fitchburg Savings Bank replaces cards after warning from Visa USA.
Paying the price; TJX security breach hits banks and credit unions hard.
TJX, banks settle data-breach suit.
Playing your cards right.
11 charged in credit card fraud case; TJX among retailers targeted.

Terms of use | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters