Mass. Bill Holds Retailers Responsible for Data Theft

Press enter to search
Close search
Open Menu

Mass. Bill Holds Retailers Responsible for Data Theft

BOSTON -- Following the technology-based theft of credit- and debit-card numbers from Stop and Shop Supermarket Cos., the Massachusetts Banker's Association pushed state legislators here to mandate retailers to pay all costs to fix security breaches if they fail to keep card data secure, the Boston Globe reported.

"What happened at Stop & Shop is another example of retailers not doing enough to protect consumers," association spokesman, Bruce E. Spitzer, told the paper. "If companies know they'll be responsible for every expense caused by a security breach, maybe they'll finally invest in better security."

Spitzer estimated that less than one-third of major retailers comply with national card-security standards. Visa stated that only 31 percent of large merchants meet data compliance rules, according to an earlier Globe report.

"If this legislation passes, all retailers, all companies, and all banks will know they'll be responsible for absorbing every cost associated with a data breach," Spitzer added.

However, the head of the Retailers Association of Massachusetts, Jon B. Hurst, opposed the bill, stating that it would needless new expenses that would increase bank profits, instead of protecting consumers.

"It's a typical banker pyramiding scheme to get more dollars into their pockets," Hurst said of the bill, which was filed by state Representative Michael A. Costello, a Newburyport Democrat, at the end of last year.

Stop & Shop has not disclosed the number of consumers' cards that were affected after thieves manipulated card readers at checkout lanes in Seekonk, Mass. and five Rhode Island towns. The confirmed reports of theft centered around shoppers in Coventry and Cranston, R.I., in early February, the report stated.

The scam involved a tactic called skimming -- where a point of sale device can be tampered with to plant a bugging device that steals card numbers and PINs. The company did not find any evidence of employee involvement, and has since secured all its card readers in the northeast.

Cases such as Stop & Shop are rare, according to Julie Fergerson, cofounder of Merchant Risk Council, a Seattle-based electronic commerce security group. The council estimates that out of thousands of card-skimming cases a year, less than 100 involve the manipulation of devices, because the process is complicated, yields a low number of cards and is quickly detected, "all the work the fraudster has done gets shut down," she told the paper.

This incident comes one month after TJX Cos., the Massachusetts-based company that operates T.J. Maxx, Marshalls and other retail outlets, reported a theft of customer credit- and debit-cards that could total in the millions, the report stated.

The new legislation requires any business that allows card numbers to be sacrificed to notify consumers within five days. In addition, the company would also be required to cover all expenses caused by the breach, including the cost for banks to issue replacement cards.

Hurst told the Globe retailers "firmly oppose" the bill because existing card-issuer policies already let banks recover fraud expenses from the companies that mishandle card data, and allow banks to charge retailers 2 to 4 percent of their sales to cover fraud costs, among other things, Hurst said.
Costello countered, stating that existing laws need clarification in several ways, which his bill would accomplish.