The Legal Irony: A Secure Retailer Could Suffer More In A Breach Than A Reckless One

Written by Evan Schuman
April 2nd, 2008

There is this fairy tale belief that legal justice in civil lawsuits punishes those who act poorly, while protecting and vindicating those who consistently do the right thing.

Nowhere is this myth more wrong—indeed, polar opposite wrong—than when dealing with security breach issues of U.S. retailers. I’m going to try and avoid using modern-day chains to illustrate good and evil. Regrettably, I think it’s a safe bet that I am about two sentences away from failing that effort.

Let’s take TJX as an example. (Only one sentence. I was close, though.) Based on various SEC filings and court documents, it’s clear that TJX engaged in a wide range of security procedures that were, to be charitable, less than diligent.

But, as we’ve pointed out many times, the millions in expenses that TJX has had to spend had absolutely nothing to do with any alleged security sloppiness. Indeed, TJX won the overwhelming majority of court decisions and the settlements with both its consumer and bank class action efforts were stunningly favorable to TJX.

It’s legitimate to say that all of the costs TJX had to endure were the cost of doing business and they almost all went to paying lawyers, contacting consumers and handling monitoring and related activities. Oh, and paying for analysts and forensic investigators and upgrading security.

The key point is that TJX’s pain was not because of any supposed sloppy security practices. TJX shrewdly sidestepped and sealed those issues, focusing on the lack of financial losses suffered by the plaintiffs.

In other words, they paid because they were breached. There certainly was ample evidence that bad procedures were followed, but things never progressed to that point. No jury was ever empanelled. No trial ever happened. Therefore, none of the money was because of they handled their security.

Now let’s fast-forward to today. We’re seeing bits and pieces of information that suggest that Hannaford was breached in an unanticipated manner and that Hannaford, as far as we can tell thus far, did everything it could have been expected to do.

Here’s the irony: Given the fact that the court system racks up charges regardless of how security was handled, a properly-secured retailer could face similar costs to a poorly-secured one. (The larger the breach, the higher the costs, to a certain extent.)

But if the well-secured retailer happens to be smaller then the poorly-secured one (as is the case with Hannaford being a fraction of the size of TJX), it’s quite possible that the legal costs could be more painful for the smaller retailer that did everything properly. Let that sink in for a moment.

A retailer that had slipshod security (Maybe we should call them Breach Bums? Maybe not) will be spared. Many reasons for this, including the fact that zero-liability credit card programs take the pain away from consumers. As long as consumers don’t lose any hard cash, they can’t show damages and their claims eventually go away before a trial.

What message does this give to retailers that want to do the right thing and be secure? More importantly, what message does it give to cyber thieves?


2 Comments | Read The Legal Irony: A Secure Retailer Could Suffer More In A Breach Than A Reckless One

  1. David Navetta Says:

    This article is confounding.

    Well secured retailers won’t suffer a breach of cardholder data in the first place, and therefore won’t be punished.

    Moreover, publicly stating that you are PCI compliant does not mean you are actually PCI compliant.

    Thirdly, thinking that PCI compliance is a shield to all lawsuits and liability is wrong. Security pros, talk to your lawyers, ask them about T.J. Hooper.

    We don’t know what happened in this case, so to assume that Hannaford was diligent is premature (and that is what we will find out in litigation — that is the system we use to settle disputes in this country, like it or not). This article has jumped the gun.

  2. Evan Schuman Says:

    Editor’s Note: For the record, we didn’t Hannaford was diligent. We have raised many questions about that and in this story, stressed that we don’t know yet. But we were talking the theory that even IF Hannaford was diligent, it doesn’t provide legal protection. If was the irony that, theoretically, a retailer with perfect security might get hurt more than one with terrible security. Just something to chew on.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.