Big fines for big breaches: The only way to stop shoddy security

I’ve posted on this topic in the past, but I can’t say it enough: Retailers that lose customer information to crackers should be penalized massively. There is no other way to stem the tide.

Neiman Marcus is the latest in a long line of companies that lost control of credit and debit card data for its customers. Target’s massive breach affected as many as 70 million customers; TJ Maxx lost tens of millions of customer credit cards back in 2005; Heartland Payment Systems, a credit card processor, lost 130 million records in 2009. In every case, the retailers express their sorrow and sympathy, and they promise to not let it happen again. But it will happen again.

[ Prevent corporate data leaks with Roger Grimes’ “Data Loss Prevention Deep Dive” PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Inexplicable as it may be, it’s almost like a game to these companies. I can’t think of another reason why they would play fast and loose with this information in the first place.

It would seem that they really don’t care about the security of this data, and the only way their customers can immunize themselves from this apathy is to not shop there. Unfortunately, not enough people would participate in such a boycott, and thus, it is not enough of a deterrent to cause real change to be enacted. In the case of Heartland Payment Systems, there’s no one to boycott — simply using your credit or debit card at a retailer running Heartland’s processing system was enough to expose your information to thieves. To get around it, you’d have to pay with cash everywhere.

Instead, we get an apology and a FAQ like the one on Target’s site discussing what happened — and that’s it. Customers’ cards will be used to purchase all kinds of items all over the world until the cards are shut down; their credit ratings can take a hit; they’ll get new cards with new numbers and deal with the hassle and frustration of rearranging automated payments; and so forth. But that’s all.

Target will get some negative publicity for a little while, lose some sales, and go back to business as usual. Heck, I bet most people don’t even know about the Heartland breach.

This has to change. If retailers store information that in the wrong hands can cause immediate and significant financial harm to their customers, then that corporation should be held liable for all damages that may ensue from a breach of that data. If you make the business decision to store this data, you must also accept that if you screw it up, the damages could run into the hundreds of millions of dollars at the low end.

JP Morgan estimates that the Target breach could incur damages of up to $18 billion. Lawsuits are under way against Target, state and federal investigations are also in progress, but if past is prologue, very little will come of it. Target may lower its sales forecasts, but only temporarily. If the company had to pay $18 billion in damages, well, that might make a statement.

Target is somewhat of a special case. The company has long been known for its extensive customer data collection and data mining. Stories detailing how Target knows you’re pregnant before anyone else does shine a little light on how much data Target collects and how it’s used. When that data is stolen, it can be spun for all kinds of nefarious purposes.

Target claims this data was not stolen in the recent breach, but forgive me if I’m a little dubious about the veracity of that statement and the security protecting that data. If Target can lose 100 million credit cards and other customer data, you have to assume it can lose the rest of it just as easily.

Using cash everywhere isn’t an option for most people, and it’s becoming more difficult and expensive all the time. Banks and credit card companies should be championing a universal opt-out that is enforceable. If you opt out of data collection with your credit card or bank, no retailer should be able to store or use any information related to you or your purchases at any point in time. Your credit card information exists in their systems only as long as is required for payment processing, then is scrubbed. A record of your purchase may be retained, but it should not contain any sensitive information.

Given the choice, I wonder how many people would opt out. The national Do Not Call Registry suggests the number would be extremely high. This wouldn’t please retailers like Target, which use that data extensively to drive business decisions, but too bad — you broke it, you bought it. I just hope it doesn’t take another half-dozen massive data breaches like this to finally result in fundamental change.

By the way, this is nothing compared to all the data the NSA has been collecting and what might happen if that data was exposed. Above any other discussion on the legality and ethics of what the NSA has done, that threat alone should be enough to scuttle the whole program. Alas, I have very little faith in that, perhaps about as much as I have in Target’s security systems.

This story, “Big fines for big breaches: The only way to stop shoddy security,” was originally published at InfoWorld.com. Read more of Paul Venezia’s The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.