Three days of hearings on Capitol Hill about the jaw-dropping data breaches at Target and Neiman Marcus brought to light one new apology and at least two familiar lessons. The lessons are worth reiterating.
First, there’s fresh evidence retailers have a hard time admitting when they’ve been hacked. Once they do, they find it hard to tell the whole story.
Target said nothing about the breach until an independent security researcher disclosed it on his blog. In its initial statement, the company said the attack involved 40 million card accounts. Three weeks later, Target revealed other records affecting 70 million customers also were stolen. Finally, after repeating “how sorry we are that this happened,” a Target executive divulged the breach lasted three days longer than initially admitted. Neiman Marcus has been similarly evasive.
This is the kind of slow-motion, piecemeal response that infuriates consumers. A uniform federal standard mandating how retailers report data breaches, which some in Congress are advocating, would be an improvement compared to the varying state-by-state disclosure laws now in effect, which can allow companies to investigate for months before announcing anything. On this, most retailers and banks agree.
The second lesson is to speed adoption of smart-chip cards with encrypted chips embedded in them, often requiring a password to use. Consumers in about 80 countries now use the technology, which has been shown to significantly reduce fraud and identity theft, but it hasn’t caught on in the United States, where most cards still use antiquated magnetic-stripe technology.
Switching to the new cards is a complicated and expensive process that requires cooperation between several parties — card issuers, banks and merchants — with conflicting priorities. Merchants don’t want to shell out for new smart-chip terminals, for instance, unless they’re sure issuers will pay up to produce the cards.
Yet, it’s worth it: Although these cards wouldn’t have prevented the data theft at Target ... they would have made using that data to create counterfeit credit cards much harder — and thus substantially reduced the incentive to try. ...
Merchants and issuers are expected to finally adopt the technology in the United States by October 2015. Target, commendably, now plans to accelerate its transition and have the gear in place by early next year. As other retailers watch Target contend with investigations, lawsuits and the ire of consumers and investors alike, doing the same might start looking cheaper and cheaper.
— The Bloomberg View