What do Michaels Stores, PF Chang’s, Neiman Marcus, Goodwill, and Target have in common? They’ve all suffered large data breaches in the past twelve months, leaving millions of consumers at risk. With the recent news that Home Depot is being investigated for a data breach that could be the largest of all time (over 110 million consumer records breached), retailers now face a harsh reality: the enactment of new state and federal laws holding them accountable to consumers.
Currently, State and Federal law is relatively lenient toward retailers confronted with breaches. Retailers are not liable for any of the costs to financial institutions for breaches, such as replacement cards (which cost $5-$10 per card to replace), or account monitoring. Presently, retailers are only required to pay for the losses that occur in their stores in the form of chargeback refunds (https://www.dalpay.com/en/support/chargebacks.html).
Yet, even without statutory liability, retailers still suffer millions of dollars in losses for every breach that occurs.. According to a report from the Ponemon Institute (http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis), the average cost to a company for a breach of data is $3.5 million, up 15% from 2013. However, recent breaches by big-named retailers such as Target (whose data breach affected over 100 million consumer records) can cost companies hundreds of millions of dollars. These losses come from replacing inventory, paying chargeback refunds, and from drops in revenue and stock price due to consumer concern. According to LexisNexis, the average merchant lost .68% of annual revenue to fraud in 2013, but the total costs is a higher multiple of that (http://www.lexisnexis.com/risk/downloads/assets/true-cost-fraud-2014.pdf). Essentially, for every $1 lost to fraud, retailers had to spend $3.08 to replace lost inventory and cover chargeback fees and other penalties.
Now, to add insult to injury, new laws have been proposed that could add more liability to retailers for future data breaches. For example, California has proposed Bill AB 1710, which would hold retailers liable for reimbursing any financial damages to their customers due to security breaches regardless of where the breached credit card information is used. Kentucky, New Mexico, Iowa, Minnesota, and Florida have also proposed security data laws, which could affect the future of retailer’s breach liability (http://www.mondaq.com/unitedstates/x/326416/Data+Protection+Privacy/New+and+Proposed+US+Data+Breach+Notification+Laws). Additionally, Attorney General Eric Holder has called for Congress to pass more stringent federal laws regarding customer notification after data breaches, which could lead to even more rigorous standards in the near future. All of these potential new standards will need to monitored and will certainly add up to extra costs for retailers who suffer data breaches.
Author: Troy Morris and Daniel Broidy