Banks and credit card companies have been stuck paying for the damages stemming from hacking of payment data in such crimes, but a new law introduced in California last week seeks to pass the buck right on back to the retailers that spawn the breaches.
The bill, AB 1710, would make retailers responsible for notifying customers of any data breach incident, as well as hold them liable for reimbursing customers' financial damages.
The bill would require the business that maintains the data to notify affected people within 15 days of the breach. As it now stands, banks and credit card companies are also liable for consumer losses caused by data breaches.
During a news conference announcing the bill, Assemblyman Roger Dickinson (D-Sacramento), who co-authored the bill along with Assemblyman Bob Wieckowski (D-Fremont), said that consumers have the right to know where their information has been stolen from, as well as have the choice as to whether or not to continue to do business with the source of the compromised data or the breach.
He's quoted by Sci-Tech Today:
Financial institutions should not be taking the heat for a data breach that occurs at a retailer.
The bill has been titled the Consumer Data Breach Protection Act.
According to Law360, the legislation is a variation of one that's already been vetoed in two different forms by former Governor Arnold Schwarzenegger.
It won't get passed without a fight this time around, either, that's for sure.
Sci-Tech Today quoted Bill Dombrowski, president of the California Retailers Association, the membership of which includes nearly every national retail chain.
The Association employs 2,776,000 people in California - nearly one-fifth of the total employment in the state.
Those retailers are ready to rumble, Dombrowski said:
It'll be a big fight, a tough fight.
One of the problems the retailers have with the bill is that it only applies to private businesses, Dombrowski said, and lets the government off the hook.
At any rate, he told Law360, why point the finger exclusively at retailers? Financial organisations also have to take part in the work that follows a breach, he said:
We're opposed to the bill because it arbitrarily assesses financial penalties on the retailer, where in the real world, what happens after a breach is there's a forensic examination done and the banks and credit card companies and retailers all have to participate. That investigation determines who is responsible.
Encryption might seem like a panacea, but it's not always that simple.
As Naked Security explained in the wake of the Target breach, credit card data isn't actually encrypted all the time, even on systems compliant with PCI-DSS, the Payment Card Industry Data Security Standards.
Usually, it's briefly unencrypted inside the PoS terminal itself: the device with the keypad into which you actually insert or swipe your card.
Putting malware into point-of-sale (PoS) terminal hardware devices is possible - that's what happened at Target - and enables crooks to skim off payment card data as early in the process as possible.
Sophos Labs' Numaan Huq wrote a fascinating article about the evolution of this particular type of malware, known as PoS RAM scrapers.
Regardless of whether AB 1710 gets passed in its recent incarnation or not, I hope that retailers are paying at least as much attention, if not more, to the development of this and other retail-focused malware as they are to the laws governing who gets stuck with the bill when the malware hits its mark.