Data breach law could put financial burden on retailers

By Robert Westervelt, News Editor 23 Feb 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

We're providing an incentive for companies to get them to protect the data responsibly and securely with the strictest protocols available. Adam Martignetti, chief of staff, Rep. Michael Costello

If passed the law would be the first of its kind to make retailers and other companies pay for the costs related to customer notification and credit card reissuing.

The proposed legislation is broad, forcing retailers to cover all losses associated with a data breach notification, including the canceling of credit cards, and the cost of freezing accounts and credit information in cases of identity theft. Currently banks share a large portion of the financial burden.

In recent months a high-profile data breach at Framingham, Mass.-based TJX Cos. Inc., which operates a number of retail chains, including T.J. Maxx and Marshalls has heightened interest in the issue. The massive data breach at TJX may have compromised credit, debit card and driver license numbers of millions of customers.

Data breach: How to survive a data breach Complying with breach notification laws TJX data breach worse than initially feared Column: If customers don't act, data will remain at risk Survey: Data breach costs surge

The bill was first introduced last year by Rep. Michael Costello, a Democrat in the Massachusetts House of Representatives. It was shelved last year while lawmakers took up healthcare and other issues, said Adam Martignetti, who serves as chief of staff for Costello.

"We like to look at it as saying that everyone who holds sensitive information has responsibility," Martignetti said. "We're providing an incentive for companies to get them to protect the data responsibly and securely with the strictest protocols available."

Martignetti said he expects both banks and retailers to lobby heavily for and against the bill.

"Security is something that should be part of every company's regular business operations," he said. "Both banks and retailers should share the responsibilities of securing sensitive data."

The bill has strong support from banks, but retailers strongly oppose the measure. Credit card vendors already set cost burden contracts with retailers in the event of a data breach, said Jon Hurst, president of the Retailers Association of Massachusetts, which represents 2,000 firms.

"The contracts already allow for a full cost recovery if retailers are out of compliance," Hurst said. "Legislation would be a duplication of cost recovery -- a pyramiding of costs going back to banks and to protect the small banks that don't have the 24-7 manpower and security systems in place."

Tags: State data security breach laws,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT State data security breach laws Download presentations from Financial Information Security Decisions 2009 Understanding the impact of new state data protection laws Data breaches jumped in 2008, ITRC report finds Complying with breach notification laws Opinion: Government misses its chance to protect data Flurry of state disclosure laws creates confusion for CISOs Governor rejects data security law

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary