Having been the victim of credit card theft in the past the recent breaches at Target remind me of the level of trust we freely give to retailers (physical and online) with little or no thought to how securely they handle our data. So within hours of finding out that the breach occurred I took preventive measures which cost me both time and money…
Let me quantify this on a larger scale. Assume a median U.S. income of $50,000/year. Assume 210 work days per year for a daily income of $238. Take the lower end of my time expenditure range and it cost (“time is money”) the average person $119 to deal with the data breach. It also cost them data on their data plan, postage, the cost of phone calls, and perhaps opportunity costs (e.g., the price of the item you were trying to buy on Amazon went up while you struggled with the inability to use your credit card). A more realistic estimate of what the data breach cost the average consumer is on the order of $150 per credit card. In costs that neither Target nor your bank nor anyone else is going to reimburse. And the co-founder of Square says “no big deal”?
If we play this out then 40 million credit/debit cards compromised at Target turns into a non-recoverable cost of $6 Billion to Target’s customers. And the co-founder of Square says “no big deal”?
So who/what is supposed to be protecting us? The Payment Card Industry Data Security Standard (PCI DSS) was developed for this purpose. It is a security standard developed by the major credit card vendors designed to ensure that all entities handling credit card data do so in a safe and secure fashion. One of the main PCI Compliance objectives is to “Build and Maintain a Secure Network”, clearly Target failed here and reports indicate that hackers had repeat access to critical infrastructure that was then used to harvest data at will.
It was only 18 months ago that Barnes and Noble had a breach of their own, but subsequently kept the information from the potential victims at the request of the Justice Department (based on the ongoing investigation):
While specifics differ, most states, including California, require that companies notify customers of a breach if their names are compromised in combination with other information such as a credit card, a Social Security number or a driver’s license number.
But states make an exception for encrypted information. As long as companies wrap consumer information in basic encryption, laws do not require them to tell customers about a breach.
“If you had a breach that included name plus credit card information, but the credit card information was encrypted, you would not have to provide notice,” said Miriam H. Wugmeister, a lawyer with Morrison & Foerster.
So it is possible that this type of intrusion has happened multiple times without our knowledge based solely on the combination of data that has been compromised, or whether the data was considered encrypted (there is no legal or consistent definition of “basic encryption” and I think it is an important consideration).
I personally believe PCI DSS should be part of Federal law (Nevada incorporated it into state law sometime ago) to account for the far reaching national consequence of a breach and to provide consistent redress to folks who get their lives turned upside down.