New York State Should Make Merchants Do More To Prevent Data Breaches

November 17, 2014 at 8:10 am Leave a comment

My challenge today is to see if I can write this blog in less time than Eli Manning takes on average to throw an interception.  No easy task, but here goes.

There are two basic reasons to hold a hearing in Albany.  The first reason is to react to an issue without actually doing anything about it.  Typically you’ll see these hearings later in a legislative year when there simply isn’t enough time to get something accomplished.  The second reason is to actually lay the groundwork for key issues the Legislature will deal with in an upcoming session.

On Friday, the Assembly’s Consumer Affairs and Protection Committee and its chairman Jeffrey Dinowitz held a hearing on legislation he proposed (A.10190) mandating that businesses in New York develop policies and procedures to deter data breaches.  Given the controversy surrounding the issue, I wouldn’t concentrate too much on the specifics of the legislation at this point.  But the mere fact that the Assemblyman has decided to hold a hearing on the issue demonstrates that the question of what to do about data breaches is sure to be a high profile issue in the upcoming legislative session.

The hearing featured the testimony of Ted Potrikus, the President of the Retail Council,. and an erstwhile Albany veteran.  The way retailers tell the story, there really is no need for data breach mandates.  The reputational risk to retailers from data breaches is more than enough to get them to put the necessary precautions in place.

However, data breaches are not a new phenomenon and merchants have so far been unwilling to invest the resources necessary to guard against data breaches.  Every year, a survey is done assessing PCI compliance.  As I explained in a previous blog, the most recent survey results indicate that businesses are still not making the commitment to guard against data breaches.  Home Depot’s top executive recently conceded as much.

A second argument advanced by retailers is that they are as much victims of data breaches as are financial institutions.  Again, this is not entirely accurate.  First, it is banks and credit unions that have to bear the cost of replacing compromised debit and credit cards.  Secondly, it is extremely difficult to make merchants legally responsible for their negligence in handling customer data.  For example, many retailers contract with third-party processors. These companies aggregate plastic transactions on behalf of merchants and process their payments. Litigation involving Heartland has underscored just how difficult it is for card issuers to make these processes responsible for the cost of their negligence.

Don’t get me wrong, no retailer wants to see their business victimized by data breaches. But as the law stands right now, they simply don’t have enough skin in the game to incentivize the creation and implementation of the policies and procedures Assemblyman Dinowitz wants to mandate. Finally, the retailers correctly argue that the battle against data breach is a constantly shifting one. A business may invest in the best technology possible today only to find that the bad guys have made it obsolete tomorrow. But this argument misses the point. Precisely because there is no magic bullet technology that will prevent all data breaches, legislators need to ensure that merchants are legally obligated to take baseline steps to protect against data breaches.

It could, of course, be argued that a national problem such as data breaches should best be dealt with on a federal level. I would love to see national legislation addressing this problem. But a state as large and important as New York has the authority and the ability to finally impose baseline responsibilities on all businesses. After all, credit unions and banks, for that matter, have already been required to have regulations and policies in place for years now, but without the help of merchants they are fighting with one hand tied behind their back.

Entry filed under: Advocacy, Legal Watch, New York State. Tags: , .

CFPB Clamps Down on Originator Compensation and Prepaid Cards Are you asking these questions about EMV conversion?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 445 other followers

Archives