There is little doubt that 2014 has been the year of the data breach. The latest currently under investigation is the breach of consumer payment data at Home Depot. Initial reports suggest the breach may be larger in scope than the one at Target. This is a scary thought considering Target lost upward of 110 million consumer records. Golden 1 Credit Union estimates that 10 percent of its members were affected by that particular breach.
Home Depot, plus the Goodwill breach reported in July, all add to a shockingly long list of retail breaches this year including names like Neiman Marcus, PF Chang’s and Michaels. The prominence of retail establishments on this list should be alarming to consumers and lawmakers. Why? Because data security requirements for retailers are lenient and inconsistent across the board. Consumers and lawmakers should be appalled at the laissez-faire approach retailers take when it comes to protecting consumers’ sensitive payment information.
Credit unions and other financial institutions go to great lengths to ensure protection of consumers’ sensitive payment information. Credit unions are subject to the highest standards of consumer data protection standards under the Gramm-Leach-Bliley Act. Retailers, on the other hand, have no true comparable California or federal data security requirement to protect consumer data. This represents a weak link in the chain, and it needs to be addressed to provide a standard for businesses to protect consumer information.
Retailers should have some accountability to enhance what they do to prevent data breaches. The latest Home Depot breach is another PR embarrassment retailers will have to spin before returning to business as usual and ignoring the issue of protecting consumer payment information. Credit unions have little confidence that retailers will shoulder the responsibility they’ve typically passed on to consumers, credit unions and everyone else in the payments ecosystem.
While the payments world develops technologies such as EMV, tokenization and mobile payments, which will innovate the way consumers pay for goods and services, California lawmakers should address how retailers protect consumer data when they accept payment. Clearly, the list of high-profile data breaches this year is indicative that the problem is, and will likely continue to be, with the retailers.
Consumers need transparency and the requisite knowledge to understand where their data has been put at risk. Retailers must do a better job of immediately notifying the public that they have experienced a breach. The fact that months go by before retailers publicly admit to having a security breach of consumers’ sensitive payment information should be unacceptable to lawmakers.
If consumers had more timely information about when and where their personal information was lost, they could direct frustrations and concerns to responsible parties, and retailers would have an incentive to protect their own reputations and secure data properly. The breaches at high-profile retailers are known to the public only because the merchants came forward, likely because the size and scope of payment cards affected, not because the law requires this type of consumer notification.
The cost implications for retail data breaches are far-reaching. The Target breach cost credit unions nationwide more than $30 million. For not-for-profit credit unions these costs make a significant difference in our ability to offer services to members. Card-replacement costs alone translate to $5 to $10 apiece to reissue and deliver. Credit unions increase staffing at call centers and enhance account monitoring, detracting from other potential member services.
Current law at the state and federal level is structured in such a way that retailers are able to abdicate their responsibility. Free credit-monitoring services and other passive assurances by retailers are not the answer. Untold millions of consumers this year have had to experience a great deal of uncertainty and worry over losing their hard-earned money as a result of a retail data breach.
California lawmakers must act to ensure that 2015 is not also known as the year of the retail data breach.