Federal Law Needed to Motivate Retailers and Others to Disclose Breach Details

Posted on by Tony Kontzer

The numbers provide a constant and disturbing reminder:

  • T.J. Maxx, 2006, 94 million credit card numbers
  • Heartland Payment Systems, 2009, 130 million credit card numbers
  • Target, 2013, 40 million credit card numbers
  • Home Depot, 2014, 50 million credit card numbers

These are the biggest breaches we know have that have hit the retail industry but they're far from the only ones. In fact, IT security vendor Trustwave recently reported that retail was the most compromised industry for the fifth straight year. In a recent post for Retail Trust Points, Karl Sigler, the company's threat intelligence manager, says the reason retailers keep taking it on the chin is a basic matter of economics.

"The large volumes of financial data continuously processed by payment and retail vendors is highly valued and can provide criminals with easy payouts," writes Sigler.

And here's the thing: No company wants to admit that a breach has occurred. Oh, eventually they have no choice, but first they do what any reasonable person might: They take steps to stop it, and then launch a lengthy investigation in the hopes that they'll find out that they stopped any real damage from occurring.

The problem is, as they're scrambling to try and figure out what just hit them, retailers lose sight of the fact that their customers' information has been compromised and may as well be flying about in cyberspace. And as incredible as it may seem, there is no federal law compelling them to come clean.

It's with this in mind that trade associations from the financial services, retail and technology sectors have joined forces to ask the House Energy and Commerce Committee to draft data protection legislation that would require breached companies to notify consumers, law enforcement and regulators of breaches in a timely manner.

Whether the effort is an authentic effort to get companies to disclose breaches quicker or a way for the trade groups to get in front of the issue and have a say in any resulting legislation, such pressure at the federal level is clearly needed. For now, companies must navigate 48 state-level laws dictating responses to breaches, which is as challenging as it sounds. (Only Alabama and South Dakota have no such laws in place.)

In the meantime, American consumers are still woozy from the far-reaching Equifax breach from September that provided the starkest message yet as to how vulnerable consumer data is. Some former Target and Home Depot customers still haven't returned to the retailers out of mistrust, and the tendency of companies to wait too long before looping in the victims of data breaches has compounded the problem.

Not that there aren't factions on Capitol Hill that are trying to get federal legislation approved. Even before the multi-industry faction made its request, a trio of Democratic senators reintroduced the Data Security and Breach Notification Act, which would require companies to notify consumers of breaches within 30 days under a number of circumstances, such as when social security numbers are compromised. More importantly, it proposes jail time for executives who conceal breach information.

Alas, Politico reports that "jurisdictional issues" are hanging up such legislative efforts, with the telecommunications industry, already subject to stringing privacy laws, proving to be a particular sticking point.

The fact that there is no federal legislation governing breach disclosure is a jaw-dropper. Without the weight of a federal law bearing down on them, companies—and retailers in particular—simply aren't subject to the proper motivation necessary to get them to err on the side of transparency. They know that news of a breach means damage to their reputations, loss of customers, millions in settlement and mitigation costs, and untold other consequences.

But what they don't seem to understand is this: It's the consumers that stand to lose the most when a breach goes undisclosed. It's the job of the law to enforce that understanding, and it's high time there was a law in place to do just that.

Tony Kontzer

, RSA Conference

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community