“A business just suffered a data breach, exposing thousands of customers' credit card information. “
Familiar with this headline? It seems to be in the news more often than we want it to and consumers are left scrambling to protect their personal information in the aftermath. As a company, you're most likely just hoping that the business in the headline isn't yours.
Breach in the retail sector
Eddie Bauer is just one of the latest victims of a data breach, reporting a hack from their point-of-sale system in August 2016. Hackers stole credit card numbers via malware on point-of-sale devices in their stores across the country. This could lead to charges on customers' credit cards as criminals go on a shopping spree - leaving customers to pay the bill.
Thankfully, consumers don't have to pay for charges they didn't make. They are only responsible for the first $50 worth of charges, according to the Federal Trade Commission. Javelin Strategy and Research found that the average loss for credit card fraud reached $980. Credit card companies and banks absorb the charges - they are the cost of doing business and delivering positive customer service.
The recent Eddie Bauer breach raised questions related to this practice. The credit union responsible for covering any false charges for their customers sued the clothing retailer for a class-action lawsuit. Veridian Credit Union cited lax security standards at Eddie Bauer, which it claimed, led to the breach. Had the company taken the proper precautions, Veridian argued, the breach would not have happened. The precautions would include stronger cybersecurity as well as notifying customers as soon as the breach occurred. According to The Seattle Times, the company learned of a potential breach in July 2016. Yet, it waited six weeks to alert customers.
The cost of doing business
Veridian's decision to sue Eddie Bauer is not unprecedented - in part because it makes sound business sense for the credit union. The Seattle Times did not report the number of customers affected by the breach - but the costs can quickly mount for banks and credit card companies. For instance, in the aftermath of the Target breach in 2014, the Consumer Bankers Association found that their institutions suffered over $170 million in losses. Why should they pay for a retailer's negligence?
If a retailer shows negligent behavior, it can sour its relationship with banks and credit card companies if it asks them to pay for the damages.
Who should pay when the culprit is harder to identify? The Home Depot breach, for instance, occurred due to a hacker gaining access to credentials from a third-party vendor. Yet, the company settled in August 2016 with customers affected by the breach, for $13 million. David Pommerehn, the president of CBA, noted it's an ongoing discussion of who should pay.
"If merchants are responsible for breaches, we believe that the re-issuance cost should be their responsibility to cover," he noted.
As breaches occur with more frequency, businesses may promote their security as a differentiator from their competitors. According to the Federal Trade Commission, companies who purport to protect their customers' data as a business differentiator and fail should pay for any costs resulting from that hack.
Navigating legal waters
Best practices in this type of situation is to engage or consult with your legal counsel, ideally a firm or individual who has experience in these types of cases. They can also help you with breach notification laws and how to appropriately communicate a data breach to customers.
In general, having a plan prepare before a breach can happen can minimize some of the frenzied response when a breach does occurs. Learn more about how Identity Guard Business Solutions can help you prepare and respond to a breach today.