Retailers to Hold Data-Breach Bag?

Proposed legislation in Massachusetts would make retailers financially responsible for breaches of their databases that lead to consumer identity theft.

Under a bill introduced by Rep. Michael Costello, Massachusetts would become the first state to move beyond consumer notification requirements of data breaches to make all commercial entities that keep consumer information bear the costs associated with identity theft.

Most banks and original credit-card issuers such as Visa and MasterCard assume the costs of unauthorized transactions, canceling credit cards and the opening of new accounts. According to the Federal Trade Commission, identity theft cost consumers $5 billion and businesses and financial institutions almost $48 billion over the last five years.

“Somebody has to pick up the cost of identity theft and we feel retailers have a responsibility to secure the data they hold,” Adam Martignetti, Costello’s chief of staff, told

He cautioned, however, it could be some time before the Massachusetts Legislature votes on the legislation, noting the bill was just introduced and the Legislature has just begun a two-year session.

Costello’s bill would make retailers such as Framingham, Mass.-based TJ Maxx financially liable to banks for fraud-related costs undertaken by the banks on behalf of customers. The bill would cover all commercial entities — in-state or not — that do business with Massachusetts consumers.

The legislation defines “personal information” as a Massachusetts resident’s first and last name used in combination with a Social Security number, driver’s license or an account, credit card or debit card number.

“The bill really attaches some teeth to compliance,” said David Etue, a senior security strategist for Fidelis Security Systems. “It just makes perfect, logical sense. If they created the risk, they should take on some of the financial burden.”

Etue said shifting the financial burden to the holders of consumer data should be a part of all data breach legislation. More than 35 states have passed laws requiring consumer notification of data breaches. Congress has been debating various data breach measures for more than two years but has not passed any legislation.

“Someone who doesn’t take responsible security measures should be penalized,” he said. “A lot of the problems we’ve had came from people not doing the right thing [in protecting data].”

Etue said if the bill passes, the idea may gain traction in other states, but he doubts Congress would go so far as to impose financial penalties on retailers and other holders of personal consumer data.

“I’m sure [retailers] will point out they are already paying 2.5 percent and more for fraud protection as part of their processing fees,” he said. “The federal government has hesitated many times in the past to get involved in credit card issues.”

Members of both the U.S. House and Senate have already introduced legislation dealing with data breach notifications. None of the bills would require retailers to assume the costs of their data breaches.

News Around the Web