Four big lies about data security

This article was written by David French and posted on The Retail Big Blog from the NRF.

In the wake of some major data thefts in the past few months, the House Financial Services Committee’s Subcommittee on Financial Institutions and Consumer Credit held a hearing last week on “Data Security: Examining Efforts to Protect Americans’ Financial Information” to find some answers.

To get to the bottom of these data thefts perpetrated against some of the largest retailers in the country and affecting millions of consumers, the committee invited precisely — you guessed it — zero retailers to learn about the problem and get their side of the story. As you would expect, the hearing was rife with falsehoods, inaccuracies and half-truths.

We thought we’d highlight four of the best (worst) “whoppers” from this hearing and set the record straight.

Whopper #1: Retailers are not properly incentivized to protect their data: this is why “assigning liability” for these data breaches is important.

Truth: Retailers pay a very large price for data breaches and are very well incented by the market to protect their customers and protect their brand reputation.

Retailers have a vested interest in protecting consumers’ financial information – customers won’t shop in a store they don’t trust. Retailers MUST—and do—comply with the PCI Standard, designed by financial institutions, to protect sensitive information first, before they are even able to process payments in the first place. “Assigning liability” is not the issue, the fundamental problem is that the current card number system is too easily monetized by thieves. Thieves wouldn’t be so quick to steal card data online if it were nearly impossible to convert into credit cards and make fraudulent purchases. Requiring a PIN will quickly render this kind of card data theft fruitless.

Whopper #2: Retailers are in the best position to discover and disclose breaches, but they are reluctant to do so as it could adversely impact sales, stock price or reputation.

Truth: In fact, financial institutions are the ones who typically spot breaches, as their fraud detection systems usually trace back suspicious activity to the source from their fraud-prone cards.

In many cases, the reports of fraudulent card activity provide the first signs (even to the financial institutions) of a sophisticated breach. Even when hacked companies discover they have been breached, they may not immediately disclose it for fear of compromising an undercover “sting” or making the breach worse. A total of 46 states and the District of Columbia legally require retailers to notify customers of data breaches and retailers comply with all laws.

Whopper #3: Financial institutions’ systems are better protected than retailers’ systems, and financial institutions have to adhere to much higher standards.