Who should be liable for data breaches?

0
Discussion
Apr 08, 2014

It’s hard at the moment to come across a story about Target without the words data breach being mentioned. Reports have chronicled the company’s missteps and failure to react to signs criminals had found a way around its defenses. At the moment, banks and credit card companies are responsible for any losses suffered by individuals that come from data breaches, but if legislation being discussed in California is signed into law, liability would shift to retailers instead.

The legislation being proposed, AB-1710, is designed to limit the information that merchants can collect about customers and also make them responsible for losses resulting from breaches. The bill does allow for "liability to be excused, in whole or in part, if the person or business, can demonstrate compliance with specified provisions at the time of the breach."

"Financial institutions should not be taking the heat for a data breach that occurs at a retailer," Assemblyman Roger Dickinson, one of two co-authors of the bill, told the Los Angeles Times.

Retailers oppose the current legislation. Bill Dombrowski, president of the California Retailers Association, said the language in the bill is too broad. "We’ve got a system in place where we allocate costs based on who is responsible for the problem," he told the LA Times.

Should there be more limits on the type of data that companies can collect about consumers? Should retailers suffering data breaches be responsible for the losses coming from that activity or the involved banks and credit card companies?

Join the Discussion!

8 Comments on "Who should be liable for data breaches?"

Notify of

Sort by:   newest | oldest | most voted
Max Goldberg
BrainTrust

Whoever did not protect the data should be responsible for the costs of a data breech. That responsibility previously rested on the shoulders of the financial community. If a retailer does not take adequate steps to protect customer data, and if that data is stolen, the retailer should be liable. That said, retailers and financial institutions need to both step up security measures.

Mag stripe cards need to be replaced by chip and pin. Social security numbers should be uncoupled from retail data and should not be sold.

With liability comes responsibility. Target should have done more to prevent the massive fraud experienced by its customers. Instead, it was arrogant and slow to act. Retailers need to accept more responsibility, a burden that should not fall solely on financial institutions.

Gene Detroyer
BrainTrust

This one is simple. Who is responsible for protecting the data? If it is the retailer and the data is breached, the retailer pays the consequences. Perhaps, next time they will be more diligent.

Roger Saunders
BrainTrust

Alas, the Left Coast is about to create another juicy opportunity for trial lawyers. We can only hope that the insanity of their misguided jurisprudence remains within their own boundaries.

Consumers have a right to expect privacy of their personal and financial matters. They don’t have a right, nor should they feel they will be forever free from charlatans who thieves practicing data breaches (or the other kinds who practice law).

Retailers and banks have to work together to be certain that they are taking the effective steps to assure confidence the consumer can have when making a transaction. As we continue the steady shift to cashless practices — making greater use of credit cards, debit cards, and digital payments — it is in the best interests of businesses to cooperate together. Another “law” is not going to solve that issue. As Mr. Dombrowski points out, we have that system in place.

Steve Sommers
Guest
Steve Sommers
2 years 3 months ago
Who should be liable for data breaches? The hackers orchestrating or performing the breaches and the fraudsters using the stolen data. Should there be more limits on the type of data that companies can collect about consumers? Yes BUT the limits need to be thought out as blocking some information could lead to higher fraud risk. I’ve seen some states and countries enact limits that prevent merchants from performing proper risk controls. Heck, the card brands create some of the fraud issues themselves with wording in the merchant agreements not allowing merchants to perform an ID check. Should retailers suffering data breaches be responsible for the losses coming from that activity or the involved banks and credit card companies? Yes and no and I would only say yes if the merchant was shown to be grossly negligent and the damages would only be up to the point the breach was reported. You have to remember there is no such thing as 100% secure. Simply creating laws making merchants MORE liable does not solve the issue — hackers will continue to hack. At some point, as more and more liability shifts to merchants, merchants will revolt and simply not accept payment… Read more »
Craig Sundstrom
Guest

The catch, of course, is that (the information contained in) stored data can also be used to verify identity…hence preventing fraud. No one here is a lawyer – and even if someone was, there’s not sufficient time to analyze the bill before commenting, so it’s difficult to address this specific effort. Suffice it to say, if everyone was satisfied with existing procedures we wouldn’t be having this conversation. Hopefully the bulk of efforts will be directed toward preventing problems, rather than in paying for them after they happen.

Shep Hyken
BrainTrust

Isn’t this why there is insurance? If retailers are concerned about being responsible for data breach, there are safeguards. Companies like AllClear ID will actually insure every customer for, literally, just a few pennies per customer. This should give confidence to the customer as well as the retailer.

Ed Dennis
Guest
Ed Dennis
2 years 3 months ago

The CEO, COO and the Chairman of the Board. If data is breached for any reason, it is because these three entities made a decision that funding proper protection wasn’t necessary. I would suggest a jail sentence of 2 to 5 years.

Steve Sommers
Guest
Steve Sommers
2 years 3 months ago

Sorry Ed, I have to strongly disagree. There is no such thing as 100% security. As long as there are hackers, breaches will occur. Assuming that all breaches are due to lack of funding for security or gross carelessness equates to assuming that all rape victims are simply careless and should have done more to protect themselves. Mandating that CEOs, COO or board members go to prison for breaches would simply eliminate the acceptance of plastic — both credit and debit — and change us back to a pure cash society.

wpDiscuz

Take Our Instant Poll

Who should assume the major responsibility for losses as a result of data breaches?

View Results

Loading ... Loading ...