Who Should Pay for Data Theft?Craig A. Newman and Daniel L. Stein
Earlier this month, Congress held hearings on data breaches and cybercrime, topics that raise important questions for every business and consumer. It’s a pity that Congress is not interested in answering them.
How do we come to that conclusion? Check the list of those called to testify. It included law enforcement officials responsible for chasing down hackers, regulators concerned with cybersecurity, and the poster children of the latest incidents, top executives from Target and Neiman Marcus. With this cast, the hearings provided the usual Washington theater—complete with public apology and finger-pointing. Retailers were accused of shoddy data security practices, and credit card issuers and banks of failing to use the latest credit card technology.
If congressional leaders want to solve our serious data security problems, they have to address the most important question: Who pays the bills when thousands of credit card numbers go missing? That discussion requires the participation of the banking industry, notably absent from last week’s hearings. The closest the industry got to the hearing was a letter recommending that Congress put enterprises that fail to keep their organizations secure on the hook for any financial damages—a not-so-subtle shot at retailers and others with lax information and data security protections.
Currently the rules determining who’s liable for the costs associated with a hacking incident are governed by a series of contracts among retailers, the banks that issue cards and handle payments, and the credit card companies, such as Visa and MasterCard. Those agreements generally give credit card companies the authority to levy assessments for inadequate data security standards and to require reimbursement for fraudulent charges.
In the skirmishing over liability that follows cybercrimes, banks have historically been the deep pockets that are initially left with the bill. They’re also first on the hook for card-replacement costs, which, at $10 per card for the 40 million cards affected in the Target theft, would amount to $400 million just for that breach. Banks then have the right to go after the retailer for employing lax data security systems. In some instances, retailers accused of using such systems have paid significant costs of their own. After a data breach in 2007 that involved 45 million debit and credit cards, then the largest of its time, the owner of T.J. Maxx stores paid out $65 million in settlement costs to Visa alone.
There is no precedent, however, for recent breaches, which exposed the information of as many as 110 million Target customers, 1.1 million Neiman Marcus shoppers, and an unknown number of customers of other retailers suspected of being victimized by the same malware. The massive scale of these cyberthefts presents Congress with an ideal moment to examine the issue of liability and, if prudent, create policy that allocates risk to parties best able to minimize the threat of cybercrime and protect consumers. That’s what the focus of last week’s hearings should have been.
Instead, Congress left the hard questions to the courts. Already, the Alabama State Employees Credit Union and two other banks have filed class actions on behalf of financial institutions against Target, accusing the retailer of not taking appropriate measures to safeguard customer information. The retailers are all but certain to push back. But no single judicial decision can do as much to clarify the legal muddle between retailers and banks as congressional action could.
The hackers who stole millions of credit card users’ data from Target inflict damage on all of us. The resolution of how the costs of cybercrime are allocated—if Congress had actually considered the issue—could have been the lasting legacy of the recent data thefts.