New Law Lets Banks Recover Data Breach Costs
Washington is the latest state to pass legislation targeting lax defenses against ID theft and cybercrime among retailers.
Washington last week became the third state to pass legislation that will allow banks to recover certain costs and damages from retailers and credit card processors that suffer data breaches after failing to comply with current Payment Card Industry (PCI) standards.
The law, which goes into effect on July 1 in Washington, follows similar laws passed in the states of Minnesota and Nevada and marks a fundamental change in the way government and private sector industries assign responsibility and accountability for preventing identity theft.
While it's difficult to ascertain exact and updated figures, independent security research firms claim identity theft cost American consumers and companies more than $54 billion last year and directly impacted more than 11.1 million adults, up 12 percent from 2008.
And as these identity theft crimes multiply in both volume and cost, banks have had to bare the brunt of the financial responsibility, writing off billions in losses and spending hundreds of millions more to improve the security of their networks and prosecute a a tiny percentage of cyber crooks who actually are identified and arrested.
Often, consumers and individual retailers are able to recoup most if not all of their losses from the banks, leaving the financial institutions to chase the bad guys -- and their cash.
The PCI Data Security Standard, which is a comprehensive set of technical and procedural requirements for enhancing data security, was first established in 2005. Major credit card providers and financial services firms such as American Express (NYSE: AXP), Discover Financial Services, MasterCard Worldwide and Visa were among the founding members of the PCI Security Standards Council.
The standards require payment processors and retailers to implement commonsense but often costly security practices including installing and maintaining a firewall, encrypting cardholder data across public networks, creating unique passwords for vendor-supplied computer systems and assigning a unique ID to each person with access to their transaction systems.
Five years later, only 28 percent of companies with between 501 and 1,000 employees said they were in full compliance with PCI DSS, according to a study by Imperva, a data security software vendor and the Ponemon Institute, an independent research firm.
Moreover, only 70 of the country's largest corporations (75,000-plus employees) are in full compliance of PCI DSS.
"Companies know PCI DSS as a compliance requirement," Larry Ponemon, the Institute's founder and chairman said in a podcast detailing the survey results. "You have to do it and if you have the resources to do that, maybe with just a little bit more resources and maybe being smart in the spending on those resources, you can accomplish more and better security."
The rub, of course, is that thus far there's been virtually no consequences for companies that failed to comply with PCI DSS beyond largely idle threats of being dropped by credit card issuers and banks -- something that's especially difficult to follow through with when the economy is in the tank -- and the inability to advertise themselves as being in compliance with the standard.
And while there's no question that retailers and payment processors do lose money and customers after suffering a high-profile data breach, those losses still pale in comparison to the costs of adding the needed security software, hardware and personnel required to become PCI DSS compliant.
"Companies devote 35 percent of their IT security budgets to PCI compliance on average, making cost a significant obstacle -- especially for smaller companies," Amichai Shulman, Imperva's chief technology officer, said in the compliance report.
Short of modifying the PCI DSS requirements for small and midsized companies -- an issue that's constantly under review by the PCI DSS Council and various industry groups -- companies that cannot or will not comply with the security standards will remain targets for enterprising identity thieves.
For SMBs -- or recalcitrant large companies -- operating in Nevada, Minnesota and now Washington, these new laws will raise the stakes and put them at risk of losing more than just their reputations.