State lawmakers in Massachusetts are considering a bill that would shift the financial burden associated with data breaches from banks to retailers.
If passed the law would be the first of its kind to make retailers and other companies pay for the costs related to customer notification and credit card reissuing.
The proposed legislation is broad, forcing retailers to cover all losses associated with a data breach notification, including the canceling of credit cards, and the cost of freezing accounts and credit information in cases of identity theft. Currently banks share a large portion of the financial burden.
In recent months a high-profile data breach at Framingham, Mass.-based TJX Cos. Inc., which operates a number of retail chains, including T.J. Maxx and Marshalls has heightened interest in the issue. The massive data breach at TJX may have compromised credit, debit card and driver license numbers of millions of customers.
The bill was first introduced last year by Rep. Michael Costello, a Democrat in the Massachusetts House of Representatives. It was shelved last year while lawmakers took up healthcare and other issues, said Adam Martignetti, who serves as chief of staff for Costello.
"We like to look at it as saying that everyone who holds sensitive information has responsibility," Martignetti said. "We're providing an incentive for companies to get them to protect the data responsibly and securely with the strictest protocols available."
Martignetti said he expects both banks and retailers to lobby heavily for and against the bill.
"Security is something that should be part of every company's regular business operations," he said. "Both banks and retailers should share the responsibilities of securing sensitive data."
The bill has strong support from banks, but retailers strongly oppose the measure. Credit card vendors already set cost burden contracts with retailers in the event of a data breach, said Jon Hurst, president of the Retailers Association of Massachusetts, which represents 2,000 firms.
"The contracts already allow for a full cost recovery if retailers are out of compliance," Hurst said. "Legislation would be a duplication of cost recovery -- a pyramiding of costs going back to banks and to protect the small banks that don't have the 24-7 manpower and security systems in place."