Data breach law could put financial burden on retailers

Article

Data breach law could put financial burden on retailers

Robert Westervelt, News Editor

    Requires Free Membership to View

    Login

    SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchFinancialSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchFinancialSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

 We're providing an incentive for companies to get them to protect the data responsibly and securely with the strictest protocols available.
Adam Martignetti,
chief of staffRep. Michael Costello

State lawmakers in Massachusetts are considering a bill that would shift the financial burden associated with data breaches from banks to retailers.

If passed the law would be the first of its kind to make retailers and other companies pay for the costs related to customer notification and credit card reissuing.

The proposed legislation is broad, forcing retailers to cover all losses associated with a data breach notification, including the canceling of credit cards, and the cost of freezing accounts and credit information in cases of identity theft. Currently banks share a large portion of the financial burden.

In recent months a high-profile data breach at Framingham, Mass.-based TJX Cos. Inc., which operates a number of retail chains, including T.J. Maxx and Marshalls has heightened interest in the issue. The massive data breach at TJX may have compromised credit, debit card and driver license numbers of millions of customers.

Data breach:
How to survive a data breach

Complying with breach notification laws

TJX data breach worse than initially feared

Column: If customers don't act, data will remain at risk

Survey: Data breach costs surge

The bill was first introduced last year by Rep. Michael Costello, a Democrat in the Massachusetts House of Representatives. It was shelved last year while lawmakers took up healthcare and other issues, said Adam Martignetti, who serves as chief of staff for Costello.

"We like to look at it as saying that everyone who holds sensitive information has responsibility," Martignetti said. "We're providing an incentive for companies to get them to protect the data responsibly and securely with the strictest protocols available."

Martignetti said he expects both banks and retailers to lobby heavily for and against the bill.

"Security is something that should be part of every company's regular business operations," he said. "Both banks and retailers should share the responsibilities of securing sensitive data."

The bill has strong support from banks, but retailers strongly oppose the measure. Credit card vendors already set cost burden contracts with retailers in the event of a data breach, said Jon Hurst, president of the Retailers Association of Massachusetts, which represents 2,000 firms.

"The contracts already allow for a full cost recovery if retailers are out of compliance," Hurst said. "Legislation would be a duplication of cost recovery -- a pyramiding of costs going back to banks and to protect the small banks that don't have the 24-7 manpower and security systems in place."