The consequences of the recent Target customer data breach may finally include significant changes to both data protection and where the liability for breaches may fall, if we see follow-through on early inquiries from several places.
After the discovery that at least 40 million Target customers’ data was fraudulently accessed – and maybe as many as 110 million – Senator Claire McCaskill, representing the Senate subcommittee on consumer protection, and Senator Jay Rockefeller, representing the Senate commerce committee, initiated fact-finding for an investigation into what led to the breach. The LA Times reports that several Attorneys General are also beginning investigations into the Target breach, along with the Neiman Marcus breach that followed a few days later.
And while the number of lawsuits filed, mostly from consumers, with Target as the, well, target, has already reached the double digits, some banking experts say that the focus needs to shift toward the other involved parties if anything is to change.
Retailers need to take more responsibility in these situations, but “MasterCard and Visa drive these programs,” Gary Olson, president and CEO of ESSA Bank told AmericanBanker.com. While Olson is mostly pessimistic that anything will change, he suggests that one important step is for the payment partners and banks to accept that they must adopt the more-secure EMV card standard prevalent in Europe, Asia and other parts of the world. The costs of replacing not only the cards themselves but the ATMs and point-of-sale equipment that read them have held the U.S. back in this regard, even though the superior encryption in the EMV system is well-known.
The Target breach may be a tipping point, however. EMV looks better than ever, says Beth Robertson, a payments consultant who works with Javelin Strategy & Research. “It will strike more issuers and merchants that they need to make the conversion so that they don’t get left holding a wide-scale loss,” she told Bloomberg.com. As it stands, according to the Bloomberg piece, Visa and MasterCard give acquirers and issuers until October 2015 to adopt EMV or face additional liabilities for fraudulent transactions. Retailing organizations have pointed out that that switch may not be adequate, and that the addition of PIN use would create a stronger set of customer data protections.
In a brand-new Payments Insights newsletter, Business Insider includes a prediction from Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center, that more information sharing will be a significant result of this Target breach, and will lead to stronger security stances. Once again, improved communication may prove to be one of the most crucial strategies in dealing with an increasingly frightening – and expensive – problem. Said Nelson, “sharing of information has prevented a lot of fraud and massive attacks that a lot of people don’t know about.”