TechWeb

Massachusetts Bill Would Make Businesses Pay For Poor Data Security

Feb 22, 2007 (09:02 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=197008143


Companies doing business in the Bay State may soon face stiff penalties for wayward security practices as Massachusetts is now considering legislation that would place these companies on the hook to pay for any costs associated with a data breach of their IT systems.

This move to protect customer data in Massachusetts comes at a fitting time, as two prominent retailers in the area, TJX Companies and Stop & Shop, wrestle with the aftermath of significant breaches that have exposed some of their customers to fraud.

To this point, a lot of the expenses associated with stopping fraudulent activity, such as canceling or reissuing credit or debit cards, stopping payment, and refunding customers, have been absorbed by the banks issuing credit or debit cards to the victims. The merchant banks that allow businesses such as TJX and Stop & Shop stores to accept credit and debit card transactions are penalized with fines from Visa, MasterCard, and other credit card organizations if the merchants they work with are found to be in violation of the Payment Card Industry's data security standards.

But the businesses themselves who've had customer data stolen have largely suffered only from the costs to offer customers free credit monitoring services and to repair a tarnished public image. In the case of popular retailers, this tarnish is easily polished away when juicy sales incentives are offered to get customers back.

Massachusetts House bill 213, sponsored by Rep. Michael Costello, proposes to amend the commonwealth's general laws to include a section that would make any corporation or other commercial entity whose sensitive customer information is stolen, thus requiring them to provide notice to customers about the data breach, also be liable to card-issuing banks for the costs those banks incur because of the breach and any subsequent fraudulent activity. This would include making businesses cover the costs to cancel or reissue cards, stop payments or block transactions with respect to any such account, open or reopen an account, and any refund or credit made to any customer of the bank as a result of unauthorized transactions.

The Massachusetts Legislature also will consider H 328, a bill co-sponsored by Costello and re-filed from its previous session to address a number of consumer protection measures, most notably providing residents with the ability to obtain a security freeze on their credit at no charge to protect their privacy and ensure that credit isn't granted in their name without their knowledge.

The measures expressed in these bills have been on the minds of Massachusetts lawmakers for some time, says Adam Martignetti, Costello's chief of staff. "These bills were filed before we knew about TJX," Martignetti says. "It just so happens that because of TJX and Stop & Shop, they've received a lot of attention."

The parent company that runs T.J. Maxx, Marshalls, and HomeGoods retail stores recently on Feb. 21 admitted its recent data breach is larger than it originally thought and that some of its customer data was compromised as far back as 2003. Stop & Shop on Feb. 17 revealed that it had discovered some tampering with checkout lane electronic funds transfer units -- the PIN pad that customers often use to make purchases.

Although the H 328 bill that addresses credit freezes didn't make the cut last year, Martignetti attributes this more to the Legislature's focus at the time being more on a major health-care initiative. "The bill last year came out of the consumer protection committee favorably but never came to the House floor for a vote," he says. "Due to the recent high-profile incidents, we're more confident and hopeful that something will get done this session."

The Massachusetts legislation is a key step in compelling companies to invest in better data security. "Security becomes a 'must' have, rather than a 'should' have, in three ways," says Ira Winkler, president and acting CEO of security consulting firm Internet Security Advisors Group and a former National Security Agency intelligence and computer systems analyst. "When government regulations require good security be enforced, insurance companies require it before they'll insure losses, and PCI standards mean a business could lose its ability to accept credit card payments."

Passage of these bills would put Massachusetts way ahead of other states in terms of protecting customer data and spreading out the penalties so that both financial institutions and retailers have incentives to improve security. Security vendors are likely to be watching Massachusetts very closely, as the bills also would create an urgent need for companies doing business in that state to invest in ways to improve their ability to protect customer data. If the companies won't do this on their own, then holding them accountable for their customers' financial losses may be just what's needed to stop the next data breach from occurring.