Henry Meier says he loves Five Guys’ burgers, but a data breach at the fast-food chain has him seeing red.
The breach, which exposed customer information at four local restaurants, “demonstrates yet again why merchants have to be made more responsible for protecting debit, credit and, increasingly, prepaid cards,” Meier wrote on his blog, New York’s State of Mind.
Meier, who serves as associate general counsel for the Colonie-based Credit Union Association of New York, uses the blog to keep his trade group’s members apprised of legislation that could affect them. He posts there occasionally about data breaches, and that’s when his institutional bias shows: “The party most identified with the breach” — the banks and credit unions that must field customer complaints and issue new cards when accounts are compromised — “didn’t create it,” he told me this week.
Instead, it’s usually the merchant or third-party processor whose system is hacked, exposing customers’ credit and debit card information and putting them at risk for fraud. Yet the reputation of neither the merchant nor the processor takes a hit because they aren’t top of mind with the customer, Meier says. So “it’s not in the merchants’ interest” to disclose a breach, he said when I inquired about his Five Guys post.
Legislation in nearly all 50 states requires that notification be made when security breaches occur. In New York, businesses are supposed to act quickly once “private information,” such as social security, driver’s license, credit or debit card account numbers, is revealed — although a delay is allowed if so directed by an investigating police agency.
The notification “shall be directly provided to the affected persons,” according to New York’s statute — which means it doesn’t have to be shouted from the rooftops.
Indeed, the Five Guys chain only admitted publicly to the data breach at franchises in Glenmont, Niskayuna, Queensbury and Wilton after Trustco Bank filed suit last month to recoup $104,000 in damages. The bank alleges the chain failed to secure debit card information, which subsequently was used to make unauthorized purchases. Similar admissions after the fact occurred in breaches that embarrassed the Hannaford supermarket chain in 2008 and retailer TJX Cos. (Marshalls, TJ Maxx) in 2007.
An annual report that looks at data breaches worldwide says the majority are discovered by outside parties, often months after they occur. “While at least some evidence of breaches often exists, victims don’t usually discover their own incidents,” says the 2012 Data Breach Investigations Report, compiled by Verizon Communications with the help of the U.S. Secret Service and police agencies from around the world. “Third parties usually clue them in, and, unfortunately, that typically happens weeks or months down the road.”
The report put the number of data breaches at 855 last year, which affected 174 million records.
Meier wants to see statutes that give merchants a greater role in ensuring that breaches don’t occur, whether through incentives or fines. “Place the burden on the party most responsible for the loss,” he says, which in his mind is the retailer.
Minnesota and Washington state passed legislation in recent years that makes it easier for financial institutions to sue retailers for restitution after a data breach. A handful of other states are looking at similar laws, according to the National Association of Attorneys General.
Reasons Meier, “The party paying for the breach has the greatest incentive to guard against it. … Merchants need to be brought into the equation.”