Retailers And Data Breaches

It has been reported in the press that a major retail chain in the United States had their data compromised by a hacker, and even though consumers were informed of the breach, the retailer was not named by the credit card companies.

“The party responsible for security systems that are breached by unauthorized parties should be the one to notify customers of the breach or, at minimum, should be identified publicly as the party responsible for the breach. If there are legal impediments that prevent you from identifying those responsible for a security breach, I would like to know what they are in order to fix them,” Frank writes in his letter.

Last summer, Congressman Frank, along with Reps. Melissa Bean and Artur Davis introduced H.R. 3140 to provide tough consumer protections and enforcement against credit card fraud and identity theft. The “Consumer Data Security and Notification Act of 2005,” will strengthen federal protections against improper collection and sale of sensitive consumer information and provide consumers with advance warning when their personal information is at risk. In addition, the bill includes specific requirements that consumers be informed about the retailer or any entity responsible for a data breach. In practice, this will end the future shielding of companies where the breach originated.

The text of Congressman Frank’s February 14 letter to Mr. John Coghlin, President & CEO Visa U.S.A., Inc., and Mr. Robert W. Selander, President & CEO, MasterCard International follows:

I was upset to read press accounts this week describing how Bank of America, Washington Mutual, Wells Fargo and other financial institutions have had to inform hundreds of thousands of customers that their financial accounts had been compromised in a security breach at an unnamed U.S.-based retailer. If these press reports are correct, MasterCard and Visa notified numerous financial institutions in January that their customers’ account information may have been obtained when a hacker penetrated the computer system of a major national retailer, but did not identify the retailer responsible for the security breach.

The party responsible for security systems that are breached by unauthorized parties should be the one to notify customers of the breach or, at minimum, should be identified publicly as the party responsible for the breach. If there are legal impediments that prevent you from identifying those responsible for a security breach, I would like to know what they are in order to fix them.

You will recall that I raised similar concerns about MasterCard’s practice of shielding parties responsible for security breaches in a letter to you almost two years ago in the aftermath of the 2003 BJ’s Wholesale Club security breach. At that time, MasterCard and Visa informed numerous New England banks and credit unions that specific credit and debit card accounts had been compromised without disclosing the identity of the retailer involved, forcing these institutions to reissue customer accounts without adequate explanation. The inability to identify the source of the breach created an inaccurate and unfair impression that these institutions were somehow at fault and that their card programs were not as secure or well managed as their larger bank competitors.

The effort to conceal BJ’s involvement in that breach appears to have done more harm than good, encouraging numerous banks, credit union and consumer lawsuits seeking more than $13 million in claims against the company. Had BJ’s followed the example of numerous other retailers, universities and banks that publicly disclosed security breaches over the past year, and then worked with all parties to mitigate potential fraud, these problems could have been minimized.

As I emphasized to you in 2004, I believe the public interest calls for identifying the source of any significant security breach to all affected credit or debit card issuers. If this can not be done legally at present, I feel strongly enough on this point to make legislative changes to make this a requirement.

BARNEY FRANK