Get with the program
THE PARENT COMPANY of Marshalls and T.J. Maxx made a stunning disclosure earlier this year, revealing in a regulatory filing that hackers had stolen account information from at least 45.7 million credit card holders. As disturbing as that record-setting lapse may be, it’s even more unnerving to note that a wave of smaller breaches is forcing banks and credit unions to reissue cards to customers almost every day.
The thefts underscore how important it is for businesses that collect sensitive personal information to assume that data thieves will find a way inside their computer networks. That means keeping as little information about customers as possible, monitoring networks to discover breaches quickly and making it hard for thieves to use whatever data they do grab.
Unfortunately, many businesses aren’t taking these steps. Instead of spending money now to protect their databases, they’re betting they won’t have to compensate customers victimized by a breach down the road. That’s why Assemblyman Dave Jones (D-Sacramento) and the state credit unions have proposed a bill, AB 779, to impose some basic data-protection standards on companies that retain customers’ credit card and debit card information. Based on standards developed by credit card companies, which only about a third of the most active merchants have complied with, the bill would require businesses to scramble their customers’ card numbers and bar them from storing the data used to authenticate cards, such as personal identification numbers. And to encourage businesses to protect their data, it would require them to cover the cost of reporting breaches and issuing new cards.
A wide array of business groups, including retailers, grocers, restaurateurs, bankers, insurers and online companies, have lined up against the bill, which the Assembly is expected to vote on as early as today. The breadth of opposition reflects the ubiquity of credit and debit cards in American commerce. But that pervasiveness makes it all the more important to minimize the potential damage. Merchants have been part of the problem, and they need to become part of the solution.
