Some see it as the somewhat inevitable fallout from a seemingly neverending spate of data breach disclosures. Others are blasting the proposed plan as unfairly penalizing retailers while letting banks and credit card companies off the hook.
The legislation was proposed by Democratic state Rep. Michael Costello. It would require retailers who suffer a data breach to reimburse card-issuing banks for the costs involved in blocking and re-issuing cards, closing and opening new accounts and any other measures they're forced to take because of the breach. Banks and credit unions have typically until now been forced to assume those costs, which sometimes total more than US$30 per card.
The Massachusetts bill is the first of its kind to be proposed in the country, though similar legislation is being considered at the federal level, too. The bill's fate is uncertain and if it does win approval, it would actually apply to all businesses -- including banks and card processing companies operating in Massachusetts, regardless of where they are based.
But it is retailers who are seen as the main targets of the measure, especially since it comes in the aftermath of a at TJX Companies Inc. and a somewhat less serious one at Stop & Shop Supermarket Companies Inc.
"This is what happens if industry doesn't respond fast enough to [information security] challenges," said Brian Kilcourse, president of the Retail Systems Alert Group, a Newton, Mass-based consultancy. A recent survey by the company showed that about 43 percent of retailers still don't have any sort of incident response plan to deal with breaches such as the one that hit TJX.
"It isn't a far stretch of the imagination to think that if the industry cannot regulate itself and cannot follow commercial standards such as PCI, that government will step in," he said. And the consequence of government intervention could wind up being "something like" the information security requirements required by the Sarbanes-Oxley law, he said.
"It's impressive that Massachusetts has taken the first step forward" in dealing with retail security issues, said Alex Bakman, CTO at Ecora Software Inc., a security vendor. Despite a considerable push by credit card companies such as Visa International and MasterCard Worldwide to push adoption of the Payment Card Industry (PCI) Data Security Standard, a large number of retailers remain non-compliant, he said.
"Unfortunately, in the retail community they are all trying to keep a lid on any kind of expenditures" and have paid scant attention to information security, he said. "I am very much for this legislation. I think it was inevitable."
Others though had a different take.
Jon Hurst, president of the Massachusetts Retailers Association, blasted the idea and said it is unreasonable to assign 100 percent of the costs incurred from security breaches on the retailers alone.
"We, of course, strongly oppose it," he said. To put in a state law and have it favor the banks is "sending money one way," he said. "That's just plain wrong and we can't accept that," especially because there are multiple parties involved in a payment card transaction.
While retailers need to shore up security, card-issuing banks have their own responsibility for improved user authentication and for reducing fraudulent card use on their networks, Hurst said. "It would be one thing if the issuing banks were also held 100 percent responsible [for losses incurred by retailers] when a card is fraudulently used."
What also makes the proposed bill egregious is the fact that credit card companies and banks are already recovering fraud-related costs upfront from retailers via the so-called interchange fees associated with card use, he said. Contractual agreements between all parties in the payment card chain also ensure that merchants who suffer breaches already pay for the costs involved in dealing with it.
"What the bill is suggesting is a third level of recovery and that is just unacceptable," Hurst said.
John Pescatore, an analyst with Gartner Inc., echoed similar concerns.
"Okay, merchants should be doing a much better job of protecting their data and that is why there's PCI," Pescatore said. But credit card companies and banks also need to do more to make payment card transactions more secure via measures such as the PIN and chip-based transactions that are already in use in Europe. So far, though, they have been unwilling to make the investments necessary for those kinds of measures and instead appear more keen to go after retailers who already bear a lot of the costs, he said.
"I think this is a reactive piece of legislation," said Cathy Hotka, president of Cathy Hotka and Associates, a retail consultancy in Washington D.C. "I am not sure how persuasive the argument is to punish retailers," when so many others are also involved in a payment card transaction, she said.
Adam Martignetti, chief of staff at Costello's office, said the impetus for the bill comes from growing identity theft concerns spawned by breaches such as the one disclosed by TJX. "This came out of our conversations with the Massachusetts Bankers Association," he said. "We just felt there was a need for an incentive for all people who hold [customer data] to hold it safely and securely with all the right security protocols that are available. If that incentive had to be a financial one, then so be it."
The proposal has been sent to the Consumer Protection Committee, which will hold public hearings and make a recommendation on whether it should be voted on, Martignetti said. Similar legislation was proposed by Costello two years ago, but that bill never made it to the House floor for a vote. This time around, it should get more attention because of the concerns sparked by the TJX incident, he said.