Skip to main content

California Bill: Retailers Should be Responsible for Data Security Breaches

Target’s now notorious breach of its consumers’ personal data might inspire new legislation that shifts the responsibility for cyber-security from banks to retailers.

Two legislators from the California Assembly are promoting a bill designed to fortify consumer safeguards by limiting the kind of data retailers can legally collect, making them ultimately responsible for its protection. The bill, AB 1710, is expected to ignite a tempestuous political dispute that could have federal ramifications. Bill Dombrowski, president of the California Retailers Association, said, “It’ll be a big fight, a tough fight.”

The bill is crafted as a response to Target’s inability to insulate its shoppers’ personal, financial information from theft. Hackers broke through Target’s online security system, accessing the personal data–financial and otherwise–of more than 70 million shoppers. The credit and debit card information of more than 40 million people is now considered compromised. Analysts predict that at least 15 percent of the credit cards could incur fraudulent charges, averaging as much as a few hundred dollars in illicit charges per card. The debacle could ultimately cost someone–either financial institutions or Target–several billion dollars in total, with an estimated $1.1 billion in repayments to banks for unauthorized transactions.

The new bill proposes that retailers, not financial institutions like banks, would absorb any costs incurred by such a breach. According to the bill, co-authored by Assemblyman Roger Dickinson (D-Sacramento) and Assemblyman Bob Wieckowski (D-Fremont), said, “Financial institutions should not be taking the heat for a data breach that occurs at a retailer.”

Related Stories

Banks have already loudly complained that Target should shoulder the costs of their mistakes. A lawsuit was initiated by Umpqua Bank (UB), headquartered in Portland, Oregon. UB alleges that in a mad rush to assuage angry customers who had their data accessed as a result of Target’s negligence, the retailer promised that no shopper would be held accountable for fraudulent charges as a result of the breach. However, UB complains that Target had no right to issue such a promise since it is the relevant financial institutions, the banks and credit card companies, that will now have to foot the bill.

The official complaint filed pulls no punches. “As details of the data breach emerge, security experts profess bewilderment by the level of negligence exhibited by defendant in maintaining the security of highly sensitive consumer financial data. Reports proliferate of Target’s ‘astonishingly’ vulnerable security systems, which lack the virtual walls and motion detectors found [as a matter of course] in secure networks.”

According to UB, it has already incurred substantial financial costs as a result of Target’s missteps: contacting all its customers, reissuing new cards, investigating claims for fraud and reimbursing card holders for fraudulent charges has proven expensive. Card replacements alone, according to a study conducted by the Credit Union National Association, is estimated to cost a total of $200 million.

Currently, there are nearly seventy class actions suits alleging that it failed to take adequate steps to ensure the safety of its customers. Tina Wolfson, an attorney at Ahdoot & Wolfson P.C., who is the lead attorney on one of the suits, said that Target’s failure “to maintain reasonable security procedures, and delays in notifying customers, will put her clients at risk for identity theft for years.” She continued, “This could be the biggest case I’ve seen in number of people affected.”