Consumers come first. The theft of data affecting thousands of shoppers from the servers of Target and Nieman Marcus could harm individuals. And the threat of identity theft has exploded, rising by more than 50 percent from 2005 through 2010.
Media and policymakers are right to focus on customer plight. But we shouldn’t forget that data theft also costs retailers too and we shouldn’t resort to new legislation that penalizes the victim.
With any data breach, businesses face the obvious damage to trust and consumer confidence. Consumers start shopping at competitors and become skeptical of loyalty cards. But there’s also the monetary cost of a data breach cutting a business’s ability to meet investor expectations, grow and create jobs.
In a statement on its breach, Target laid out the expenses it now faces:
At this time, … costs may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities.
These costs may have a material adverse effect on Target’s results of operations in fourth quarter 2013 and/or future periods.
So both consumers and businesses are harmed by data theft, but what is the appropriate response for regulatory agencies and elected officials?
All too often, the first instinct is to attack retailers. This ignores the reality that they too are victims of theft.
This is like blaming a bank for getting robbed or a woman whose purse was snatched. They are all victims. But some don’t see it that way. Sen. Mendedez wants to blame the victim by passing new laws giving the FTC the ability to impose fines or penalties on business that get hacked.
But businesses and credit card companies have already financial incentives to protect consumers and their data.
For consumers – they are not responsible for fraudulent purchases on their credit card. It’s businesses that pay when a fraudulent purchase is made. This means that businesses and credit card companies have financial reasons to create secure systems and try to stay ahead of the thieves.
If Congress believes it must do something, it should consolidate existing state standards into a single rule for data breach notification. Today, online and offline businesses face a patchwork of state laws, Attorney’s General and consumer organizations that play by different and confusing rules. A single federal standard for data breach notification would resolve the confusion and benefit both consumers and businesses.
Criminals will continue to develop new ways to break into businesses. We should all work to stop them. The industry works to stay one step ahead of the criminals. Law enforcement can track them down. And Congress can pass legislation creating a coordinated effort that makes it easier to fight crime, shield consumers, and help businesses get back in the game.