Despite spending millions of dollars each year on credit card security measures, Target’s security breach was bound to happen thanks to outdated technology and incomplete industry consumer protections.
Nearly 40 million holiday shoppers who swiped their debit and credit cards in store between Nov. 27 and Dec. 15 are at risk for identity theft and credit card fraud. The breach was likely caused by a computer virus and may have been an inside job. While Target hasn’t confirmed the official cause, the big box retailer and the U.S. Secret Service—which also covers currency counterfeiting, fraud and electronic crime—are investigating the record-setting breach. (T.J. Maxx suffered an even bigger breach in 2007 that affected nearly 46 million consumers.)
“The fact this breach can happen with all of their security in place is really alarming,” Avivah Litan, a security analyst with Gartner Research told the Associated Press.
Credit card scams of this nature usually happen at a single store or machine and not nationwide, according to Dan Kaminsky, co-founder of New York-based cybersecurity firm White Ops: “Attacks of this scale are common, but attacks that get this class of data are unusual.”
The U.S., next to Australia, leads the world in number of data breaches. On average, each breach typically involves nearly 30,000 records, according to a Ponemon Institute study on breach costs released in May. Part of that is due to obsolete technology used in American credit and debit card transactions. U.S. cards use an easily duplicated magnetic strip to transfer financial information between retailers and banks at the point of sale. Credit cards used abroad, however, have an embedded computer chip that creates a unique PIN for each swipe and are harder to copy.
But American banks and retailers don’t want to spend the money to upgrade to more secure technology. Instead, the U.S. spends billions of dollars to bounce back from a breach—about $5.4 million per incident, according to the study.
In general, how businesses protect consumer data is largely self-regulated, with standards that focus more on a breach’s aftermath rather than security.
Forty-six states and the District of Columbia have data breach notification laws. Those laws, to varying degrees, require privately owned businesses and the government to notify individuals if their personal identifying information was compromised. But there’s no golden standard.
An umbrella law on the federal level would be a first step in unifying the patchwork of state reporting standards. “Most data breaches impact consumers in multiple states…And electronic data is rarely segmented by state, so under current law, the question becomes, which state law should apply?” said wireless industry advocacy group CTIA’s vice president of privacy, Debbie Matties in a PCWorld article. “The state in which the consumer resides? The state in which the breach occurred? Or the state in which the vulnerability existed and was exploited?”
In the past, Congress has failed to pass a federal law, but a new effort to standardize notification laws recently came back into the spotlight. Some advocates want the final legislation to specifically address cybersecurity and breach prevention, as well as public notification.
The proposed federal law could supplant state laws and implement a uniform standard for reporting breaches. Each state has its own set of “triggers” for when to tell the public about a breach. To qualify as a breach, many states require a combination of personal identifying information, such as a consumer’s first and last names, or first initial and last name, be released with either a social security number, driver’s license number or credit or banking information. But some give free passes to businesses, and don’t require them to tell customers, in cases where the stolen credit or debit card information was encrypted or didn’t include the three-digit security code on the back of the card. That code isn’t required for in-store purchases.