Owning Up to Security Breaches

The recent arrests of the bad guys responsible for the massive identity theft that compromised 40 million credit and debit card numbers over an eighteen-month period in 2006 and 2007 puts the need for improving data security -- and disclosure and reporting of security breaches -- back on the front burner.

The thefts occurred when members of an international ring hacked into retailers’ computer systems by sitting in parked cars in store parking lots with laptops that allowed them to break into the stores systems; the stores used unsecured wireless networks. The thieves then sold the numbers or used them to make substantial withdrawals from ATMs.

TJX Cos., which owns discounters T.J. Maxx and Marshalls, BJ’s Wholesale Club Inc., shoe retailer DSW Inc., and Dave and Buster’s Inc., a restaurant chain, made headlines shortly after the thefts were detected and they alerted customers. But the identity of other businesses that federal investigators say were affected by the thefts but did not inform customers-- OfficeMax Inc., Barnes and Noble Inc., Sports Authority Inc., Boston Market Corp., and Forever 21 Inc.-- came to light much later.

Several of these businesses justify their inaction because, they say, they had no evidence that the breaches occurred; others are unwilling to say whether or not they alerted their customers.

While there is no single federal law requiring notification of a data breach, most states impose such requirements. But even in states that have no applicable statutes requiring notice of a security breach, there can be related obligation under tort law. Companies that fail to alert customers to credit card theft can leave themselves open for litigation involving customers, credit card companies, and banks that wind up footing the bill.

The best defense against data theft is staying ahead of hackers with the latest technology, but that’s still no guarantee that your system won’t be compromised. If it is, the temporary loss of customer good will and a possible hiccup in stock price if you’re publicly traded could be a small price to pay in comparison to costs incurred after a cover-up is discovered.

TJX Cos. landed on its feet after the breaches at its stores. In April, the company agreed to pay MasterCard Inc. up to $24 million to settle losses suffered by the credit card company. TJX announced this week that second-quarter profits more than tripled from the year before when it reported a charge relating to the incidents.