For retailers, the drama surrounding data breaches never seems to end. First, there’s a security scare, followed by a panic once those suspicions are deemed true. Then comes the finger pointing, shaming, and issued apologies. Finally, we conclude with a regulatory meeting of powers producing promises that never quite seem to come to fruition.
Target is the newest player in this consumer data-security drama. Between Nov. 27 and Dec. 15, the Minneapolis-based retailer suffered a data breach compromising 40 million credit and debit card accounts, as well as the personal information of up to 70 million customers. Hackers used clandestinely installed malware in Target’s system to covertly accomplish the security breach. Following the company’s Dec. 19 public announcement of the security theft, several other retailers have come forward to disclose their own customer information breaches, including Neiman Marcus and Michaels, whose breaches are believed to be the work of the same criminals behind Target’s theft.
With a large amount of media attention surrounding these breaches, Americans are taking notice and responding, both verbally and through their pocketbooks. A number of proposed regulations and industry security adaptations have been mentioned—but which will stick, and, most importantly, work?
We take a look back at the history behind these security breaches to see which proposed measures can rectify past wrong-doing and prevent further consumer theft.
What has been done
While 70 million is a storied number, Target’s situation has yet to eclipse TJX Companies Inc.’s 2007 data breach, compromising 90 million records at off-price retailers including TJ Maxx and Marshalls. In 2009, TJX agreed to a settlement of $9.7 million to 41 states, formulated to help protect consumers from corporate negligence. The settlement also proportioned $2.5 million to help with the creation of a national fund to investigate future data breaches. Despite this, TJX still maintained the position in 2009 that it “did not violate any consumer protection or data security laws.”
Quick retribution seems to be a trend within the corporate sphere, even if the company never fully admits to wrong-doing. But while the TJX matter was settled (somewhat) peacefully, these days the debate is intensifying. On Feb. 4, top Target executives, federal regulators, and stores’ and banks’ trade groups descended on Washington to testify at a series of hearings investigating consumers’ digital security. Concerns focused on data breach notification requirements, technological prevention enforcement, and the need for a more secure credit card technology in retail.
The last issue is one brought up time and again whenever security and data breaches are brought to light. Currently, a majority of American credit cards are outfitted with magnetic strip technology, which many experts have deemed antiquated and unsafe. The forerunner and popular choice to replace this technology is EMV, which outfits cards with a small chip that makes counterfeiting fragile information tougher when compared to magnetic strips. This addition to American credit cards may lead to big results when it comes to the fight against fraud, but retailers have been slow to acclimate, citing costs estimated at $15 billion to $30 billion to do so.
What can be done
So what’s being done now, and what do these changes look like for the future of the retail industry?
Target made some headlines when it announced an overhaul of its information security and compliance division, including the March 5 resignation of Chief Information Officer Beth Jacob. Part of this overhaul includes a new executive appointment whose duties will be centered on web safety—a responsibility that was split between several positions in the past.
This focus on cybersecurity reform may have retailers looking at a new meaning behind the phrase. In the past, most connotations connected to the word “security” in retail have been focused on a loss-prevention point of view—a stationed man guarding the doors and video-monitoring the store. With these data breaches, the phrase is becoming more customer-oriented, focused on the shopper’s security more than that of the merchandise. It seems that as retail reaches a seemingly customer-oriented era, companies must adapt their security measures to do the same.
Neiman Marcus and Target seem to be heading in that direction. Both companies are offering customers who frequented the stores from January 2013 to January 2014 one free year of credit monitoring, and Target is aiming to install chip-reading hardware in all of its stores six months before the proposed industry-wide deadline of Oct. 2015. Although these measures will add to the already $61-million tab of expenses related to the breach in Q4, any indication of proactive measures made by Target can’t hurt its efforts to move on from the company it was when it experienced the breach.
Garnering these new reputations has remunerations beyond a recovery for the retailers involved. It has ramifications on the economy as a whole, according to Senator Patrick J. Leahy, chairman of the committee tasked to investigate privacy in the digital age. When consumers’ trust in the companies falter, so does their spending, leading Leahy to state that “our economic recovery is going to falter” because of it.
Facing the threat of these dire consequences, it seems that the best thing these retailers can do is distance themselves as far from the perceivably “un-safe” systems employed at the time of these hacks. Restructuring, a higher focus on cyber-security, and the adoption of safer payment methods are all part of the equation. It must be noted that in addition to presenting a retailer as more secure, all three of these measures actually make them more secure. This can only lead to good news—for them, for consumers, and for the economy as a whole.
Would you like to see more retail news like this in your inbox on a daily basis? Subscribe to our Retail Dive email newsletter! You may also want to read Retail Dive's look at the six richest billionaires in retail.