Whew! Dodged that bullet.
When the Michaels arts-and-crafts chain admitted a breach of customer credit and debit card data last month, the local store I shop occasionally was hit. But it turned out my purchase there last summer was just outside the affected dates.
I also lucked out on Sally Beauty Holdings’ March announcement of a breach. I shop the hair-care retailer only when one particular “styling appliance” — a curler I can’t find elsewhere — breaks down every couple of years. But that hasn’t happened recently.
Nieman Marcus? The luxury merchant isn’t in our market, so I skated by that breach, which was revealed early in the year.
The massive breach at Target over the 2013 holiday season, though, likely ensnared me — or at least my bank felt it prudent to replace the credit card I had been using.
Staying vigilant on retail breaches can be exhausting. Congress may want to have my back on the problem as much as retail and banking interests do, but so far none has found the magic bullet.
Even this month’s “big data” report from the White House on privacy and data collection contained a recommendation on fighting breaches. But who knows when or whether it will gain traction.
Right now, 46 states and the District of Columbia have their own rules on data protection, which is part of the problem.
After Target’s breach, which affected as many as 110 million customers, Congress seemed interested in crafting national legislation to better protect personal information and simplify the breach-notification process. That effort stalled, though, after largely partisan bills surfaced following hearings in Washington, D.C.
Retail and banking interests also seemed amenable to a national law, although each likes to point a finger of blame at the other for the breaches. (Financial institutions need to adopt new card technologies, the retailers say; chains need to be held accountable when lax protocols allow data to be stolen, bankers say.) The White House’s May 1 “big data” report reached back to a 2011 administration proposal for national legislation that would require businesses handling more than 10,000 transactions a year to notify consumers quickly — within 60 days — if their personal information were stolen.
But as one privacy and data-security lawyer told The Hill newspaper in D.C., national data breach bills have been around for years. “There is a reason they haven’t passed,” he said, pointing to the difficulty of writing legislation to surmount so many state laws.
Yet the Michaels chain set an example when it posted on its website a detailed state-by-state list of likely affected stores and breach dates. On the other hand, finding out when Sally’s thought its system was breached took a bit of sleuthing.
C’mon now. Do consumers really have to assume a Sherlock Holmes persona to discover whether our cards and data have been compromised? We deserve better.
Marlene Kennedy is a freelance columnist. Opinions expressed in her column are her own and not necessarily the newspaper’s. Reach her at email@example.com.