Leadership Laboratory
- Leadership Lab: Information Technology and the Law
This series of essays explores the many aspects of technology law relating to computer and information security.
Let Credit Card Industry Allocate Data Security Risks by Negotiation - March 12th, 2007
Data Thefts - Give the Public the Disclosure It Seeks - March 22nd, 2007
Network Neutrality - Updated July 3rd, 2007
Can Cyber Criminals Consent to Being Watched and Foiled? - May 14th, 2007
The Dangers of Too Much Data Privacy - May 28th, 2007
Assembly Bill (AB) 779 Suffers from Sloppy Draftsmanship - October 12th, 2007
New Merchant Liability for Losing Credit Card Data - June 14th, 2007
ChoicePoint Marked New Era in Data Security Law - May 31st, 2007
Let Credit Card Industry Allocate Data Security Risks by Negotiation
March 12th, 2007
By Benjamin Wright, JD
Retailer TJX suffered a highly publicized breach of security
in
which some credit card data was compromised. Media reports
declare the incident has directly led to significant fraud on specific
consumer credit cards, though TJX questions these reports. Financial
institutions claim they have been forced to cancel and
replace credit cards of thousands of TJX customers. Some
financial institutions have sued TJX to recoup the costs they incurred
in replacing the cards.
On the heels of this story, Massachusetts legislators are considering a
bill to require retailers to assume greater liability for losses
suffered when the security of credit card data is compromised. Joseph
Pereira, "Bill Would Punish Retailers of Leaks of Personal
Data," Wall Street Journal, Feb. 22, 2007 page B1. The legislators
are motivated in part by reports that financial institutions suffered
high costs when they replaced cards of TJX customers.
I am skeptical of the proposed legislation. It could do more harm than
good.
Before the legislature undertakes an adventure in the field of credit
card law, it should consider these points:
- The various players in the credit card industry are subject to a complex, negotiated web of contracts and standards that allocate risk and responsibility. These contracts and standards will govern whether TJX owes something to financial institutions that issue credit cards.
- The prevailing contracts and standards are constantly changing as the industry and market adjust to changes in technology, economic incentives, criminal tactics and so on. If the TJX incident proves that the present allocation of risk and responsibility is unfair, then the players can re-negotiate.
- To ascertain the actual damages and risks flowing from a security breach is hard. People can over-react, and they can under-react. Just because a bank claims a loss does not mean it was in fact caused by a particular security breach. In the case of TJX, legislators should not assume that just because banks allege big losses they have been fair and level-headed in judging, managing and mitigating those losses. Complaining is easy.
- A patchwork of laws from individual states can breed confusion. Confusion is already apparent from the conflicting state laws requiring notice to consumers when their data are suspected to have been compromised. See the laws at http://www.ncsl.org/programs/lis/cip/priv/breach.htm
Retailers, financial institutions and other players in the credit card industry have a forum for working out their relationships. Special state laws such as that proposed in Massachusetts tend to lock in the technologies and business models contemplated at the time the legislation is enacted. They make it more difficult for industry to adjust its practices and technology to thwart future criminals.
We discuss these and related issues in greater depth in the course I author and teach, LEG425, Applying Law to Emerging Dangers.[1]
==
Benjamin Wright is an attorney based in Dallas, Texas, and instructor
for a series of courses on IT security law, promoted by The SANS Institute.
==
1. http://www.sans.org/training/description.php?tid=862