The Empire Strikes Back?

You can’t possibly have missed the flurry of articles in the press over the past few years regarding identity theft and the measures being taken (or vulnerabilities exposed) to protect the non-public, personally identifiable financial information consumers access, use and provide in the course of routine payment transactions—both off and online. Indeed, several years ago, the Payment Card Industry (“PCI”) began formulating it’s own self-regulatory standards governing the protection of consumer information relating to the processing of credit, charge and debit card transactions. This has led to the development of the PCI Data Security Standards (“DSS”) and corresponding Data Security Audit Guidelines. In broad terms, the PCI DSS requires the protection (by encryption or other effective means) of personal information in the payment card process—whether in storage, card processing, point of sale/purchase, recordkeeping—in every link in the chain of payment using a payment card or device linked to an account at a financial institution.

As a result of the furor over the release of private information—including releases from governmental agencies and databases (e.g., social security numbers, drivers license numbers)—more than 30 states have passed specific legislation requiring companies that know, or reasonably suspect, that data, databases or electronic/digital information involving personal information of consumers has been compromised or actually leaked, to disclose and notify consumers affected (or potentially affected) by the security lapse or potential breach. Federal legislation has been proposed, although nothing has yet been enacted, and the states have stepped in to fill the perceived gap and protect the information of its citizens, and to regulate the conduct of companies doing business within their borders.

Much of the angst over the private sector, commercial transaction compromises over security—starting most visibly with ChoicePoint several years ago and continuing in a steady stream thereafter—arises from the fact that retail merchant establishments have traditionally not had to worry about privacy and the secure management of customer personal and financial information, primarily because they haven’t been regulated or needed to do so. Enter the digital age of information and the ability of marketing and advertising gurus (within and for retailers) to data-mine and use vast amounts of previously cumbersome and often unattainable information about customers. If information has always been power, than digital information transforms that power exponentially, at the speed of light (literally for those physics majors masquerading as lawyers or marketing professionals).

The combination of security standard requirements, consumer protection legislation and digital technology has conspired to significantly increase both preventive and compliance costs to everyone in the chain of payments and financial transactions. Now some banks have decided to strike back. Three community banks and three state trade groups have filed a class-action lawsuit against TJX Cos. (to us folks, this is the company that owns TJ Maxx, Marshalls and HomeGoods). You might remember the news late last year when it was found that some computer hackers were accessing credit and debit card transactions made at TJX’ stores—at least since mid 2005, and that potentially more than 40 million cards may have been compromised. TJX disclosed the breach itself in January 2007.

Now the banks and trade groups are claiming that between the costs of reissuing cards and simply bearing the risk of theft and fraud to unwitting consumers wrought by the hackers, the bill to the banks is in the tens of millions of dollars. The lawsuit demands those costs should be covered by the retailer, and they want the courts to hold responsible and financially liable for the damages resulting from the breach.