Retailers fight to silence customer data breaches

New bill would require companies to alert customers when data is compromised.

Illustration by D. Thomas Magee

A consortium of retailers, including Target and Home Depot, vowed to fight a data breach notification bill. The bill, HR 2205 from Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), would require companies to tell customers when they've been hacked and would also require the encryption of data in both storage and transit. It would hold retailers to the same data-security standards as the financial sector.

The large and powerful Retail Industry Leaders Association (RILA) sent a letter on Tuesday to House leadership saying that "it makes no sense to take one industry's regulations and apply it to a large segment of the economy without understanding the consequences."

RILA's letter claims that applying bank security rules to retailers imposes unfair regulations, specifying one that would require a criminal background check for any employee handling credit or debit card information.

But that's not actually what the bill's legislative text says. The section mentioning background checks explains that retailers should "adopt the measures that the entity concludes are appropriate." Employee background checks would be for "employees with responsibilities for, or access to, sensitive financial account information or sensitive personal information" -- only if the retailer decides it makes sense.

The American Bankers Association and other finance groups think it's about time Big Retail started sharing responsibility for cybersecurity and sent this joint letter in support of the bill. Big Banking wrote, "In our view, protecting consumer information is a shared responsibility of all parties involved."

Until now, RILA and other retail groups have been generally supportive of creating a national breach-notification standard -- but just to replace the current mishmash of state laws. A federal breach law is now inevitable, but an effective one isn't.

It's awfully conspicuous that nearly all of RILA's "premiere members" are retailers on "biggest breaches of all time" lists. The group's top dogs read like who's who of breached companies, including Target, Home Depot, Best Buy, JC Penney, Lowe's, Walgreens, and Walmart.

Combined, these companies lost the sensitive records of hundreds of millions of people. They also behaved badly when it was time to notify customers that their personal and private information had been stolen on the retailers' watch.

Most of their customers found out they were victims by reading about it in the news. But many likely got their first 'notification' of a breach when their identities were stolen -- one in five, to be exact. For the victims, finding out probably stands out pretty vividly in their minds among the more traumatizing indignities they've suffered courtesy of an American retailer... outside of People of Walmart. In case you don't know, identity theft manifests in life-ruining fraud pertaining to mortgages; ATM, debit and credit cards; student loans; IRS and Social Security fraud; and use of identity for unauthorized medical services. It ruins your credit, can make you lose your house, and will drain your bank account in one way or another.

Most of the millions of people who were victims of these seven retailers' breaches only found out about it against the company's wishes. Target only admitted it reluctantly and notified customers after the fact. And it only came clean because it was plastered in headlines from here to eternity, and not because the company was acting as a concerned party in their customers' welfare.

These corporations are used to getting what they want, including laws that favor their protection, not consumers'. It's like their business models have consisted of outraging the natural order of accountability. This is just another thing to make go away.

Customer breach in the news? Slap some free LifeLock accounts on 'em and tell the press "case closed."

Maybe Target and the other six breached retailers in RILA came to the conclusion a long time ago that cutting cybersecurity corners is worth more than being able to sleep at night. And maybe they just can't face another public embarrassment when they eventually get dragged once more into the breach, as it were.

It would be a shame to see everyone dragged into another breach. Except if RILA has their way about it, it's likely no one would know about it anyway, until it's way too late.

Well, the ones posting snatched home addresses and credit cards on illegal data trade sites will know about it. Otherwise, we're just at the receiving end of an elaborate game of finding out the hard way. It's unlikely a bunch of Big Retail's customers will all notice they're victims of identity theft all at the same time, but it's possible.

Though wouldn't it be nice if making us find out the hard way was something retailers could actually get in trouble for?

Image: Damian Dovarganes/AP (Target)