In Volume l, I discussed the liability that Target may have to its customers as a result of the data breach.
But that is only the beginning of Target’s potential legal woes. You see, when there is a massive data breach, there are a lot of players involved, and they all tend to blame each other. That results in massive litigation and finger pointing. Good for the lawyers. Bad for everyone else.
To understand who might sue whom, you also have to understand who the players are in your average credit card transaction. What follows is a simplified version.
When you buy a pack of Altoids at the counter at Target, there are many entities involved in the transaction. First (well, second or third actually) is you, the CONSUMER. But before you can buy something, you have to get a credit or debit card.
Getting the Card
To get a credit card, you apply with a CARD ISSUER, a bank that says, “Yes, I will extend credit to the CONSUMER” or, in the case of a debit card, you put actual real money in the bank, and the bank issues a debit card to accomplish a withdrawal from the account.
The CARD ISSUER issues the card in the name of a CARD BRAND like VISA or MasterCard, which sets out certain rules with respect to card acceptance and rules of the road. So the CONSUMER has a relationship with the CARD ISSUER, which in turn has a relationship with the CARD BRAND. The CONSUMER takes their card to the MERCHANT.
In order to accept credit cards, the MERCHANT establishes a merchant account with a COLLECTING BANK. The MERCHANT enters into a contract with the COLLECTING BANK that includes an agreement to comply with provisions of the Payment Card Industry Digital Security Standards (PCI DSS), a set of rules issued by the CARD BRANDS regarding privacy and security of payment systems.
While many people consider such rules to be a legal requirement that subjects the MERCHANT to fines for a breach, in fact, they are a contractual requirement, albeit with the threat of not permitting the MERCHANT to process credit cards – effectively putting the merchant out of business — for now, of course Overstock.com just announced that it was going to be taking Bitcoin, so that may be a game changer in the future. Maybe not.
Once the MERCHANT opens an account with the COLLECTING BANK, they have to get a bunch of Point of Sale (POS) terminals – typically from a POS vendor. This is where things get complicated.
POS vendors market their wares as “PCI DSS compliant” and in fact are assessed by the CARD BRANDS using their own set of security standards called Payment Application Data Security Standard (PA-DSS).
The POS terminals are part of the larger payment processing system, which can be fully integrated into a MERCHANT’s systems including inventory management and relational databases. The MERCHANT or VENDOR may also have SOFTWARE DEVELOPERS or INTEGRATORS who integrate the POS terminal with the MERCHANT’s computer network.
So the POS terminals are vulnerable to attack. So are the MERCHANT’s computer systems, networks, and other software – anywhere that credit or debit cards might be flowing.
In addition, the MERCHANT will likely hire a PCI DSS ASSESSOR to conduct an evaluation of their compliance with the contractual requirements for data security.
The ASSESSOR will issue a report on compliance, but depends on the representations and cooperation of the MERCHANT in issuing a report. Moreover, these assessments are typically just a snapshot of representative parts of a payment system and not a comprehensive real-time assessment of the security of a system.
Thus, the MERCHANT may also have other THIRD PARTY VENDORS or CLOUD PROVIDERS who help manage data infrastructure including networks associated with payment processing.
Vulnerabilities in any of these systems can lead to vulnerabilities in credit card security.
The next player is the PAYMENT PROCESSOR. The COLLECTING BANK enters into an agreement with a PAYMENT PROCESSOR to manage the collection of funds. It is the PAYMENT PROCESSOR who tells the MERCHANT that the CONSUMER’s card has enough money on it, and facilitates the transfer of funds from the ISSUING BANK to the COLLECTING BANK.
Typically PAYMENT PROCESSORS are a huge target (pardon the pun) for attack because they host hundreds of millions of credit card numbers and are hyper connected.
A Breach
When debit or credit cards are compromised, the CARDER, a criminal who specializes in stealing information from credit cards, will obtain the card numbers and may turn them into actual physical cards that they will use at OTHER MERCHANTS.
So a stolen card number may be posted on a carder site and sold to a CARDER who will use it to buy a large screen television at the OTHER MERCHANT. When the OTHER MERCHANT tries to collect funds from the ISSUING BANK, the charge will ultimately be declined. So the OTHER MERCHANT is out a large screen television.
A MERCHANT typically finds out about a breach when the CARD BRAND notices unusual activity, and determines that the MERCHANT is a “Common Point of Purchase” – that is, they notice that a bunch of fraudulent transactions have something in common – they were all used at a Target store.
When a CONSUMER learns that their card was used fraudulently, they will typically call their ISSUING BANK and ask that their card be reissued. The ISSUING BANK will reissue the card, typically at a cost from $50 to $100 per card. This can run into the tens of millions of dollars for 40 million credit or debit cards.
In addition, if the CARDERS steal personal information they also can commit Identity Theft (different from ID fraud) where they actually apply for new credit in the name of the CONSUMER.
Thus, the CONSUMER may have to have credit monitoring or credit freeze services to protect their credit, and may have to monitor their own credit reports to ensure that nobody is impersonating them.
The Aftermath – Who Loses?
There are many entities that suffer losses when there is a data breach. The main ones are not the CONSUMER themselves, since they have no liability for breaches that they detect.
The first entity that suffers actual monetary loss is the OTHER MERCHANT – the one where someone makes a purchase on a stolen credit card number. Whether the OTHER MERCHANT has to pay this cost depends on whether there is a “card member present” or “card member not present” transaction. Generally, if there is a physical card present, the OTHER MERCHANT has no liability. For online OTHER MERCHANTS who take card numbers (and CVV validation numbers) they may end up eating the cost of the unauthorized charges. This means that OTHER MERCHANTS may end up suing Target for the cost of products purchased with stolen cards. Loser number 1.
In addition, the ISSUING BANKS had to hire additional staff and have them work overtime to cover the onslaught of reissuances of credit or debit cards, not to mention the cost of physically producing the cards, mailing them, validating them, etc. While ordinary reissuances are just a cost of doing business to the ISSUING BANK, the cost of reissuing 40 million cards is no drop in the bucket. Loser number 2.
Some or all of these entities may have cyber insurance, data breach insurance, or some other form of casualty insurance to cover risks like this. This means that another possible loser is the INSURANCE COMPANY that issued the policy. Yet another litigant. Loser number 3.
If debit cards AND PIN numbers were compromised (and there are conflicting reports about whether PIN numbers were compromised) then the ISSUING BANK may have a bigger problem, as may the CONSUMER. If funds are withdrawn from a debit card, the consumer may incur overdraft or other fees and expenses, may bounce checks, and may be unable to make legitimate purchases. People may end up closing bank accounts as a result (even if this really won’t help). Loser number 4.
If a consumer can’t use their credit or debit card in the days or weeks before Christmas, (and some banks have put spending or withdrawal limits on their customers) then these consumers can’t buy their new 70-inch SONY Bravia television. This may represent a lost sale to the OTHER MERCHANT or the MANUFACTURER as a result of the breach. Loser number 5.
Another loser here is the original MERCHANT – in this case, Target. We think of the MERCHANT that suffered the breach as the “bad guy” – the defendant, the one who screwed up. In fact, a bunch of state Attorney’s General (AG) are reportedly investigating Target for the breach, and wondering whether they did enough to protect consumers.
Let us not forget that Target was the victim of a crime! Let me say that again, Target was the victim of a crime. Undoubtedly, a full investigation may show that Target failed to prevent the attack, and that “better” security might have prevented, deterred or lessened the impact of the attack. An investigation will also likely show that they could have handled the incident response better, or that they could have notified consumers sooner.
Maybe. Maybe not.
Again, Target was the victim of a crime! So Target and its insurers suffer major losses, shareholders suffer potential losses, Target eats the costs of the 10% discounts it offered customers, the costs of investigation, credit monitoring, notification, the AG investigations, possible FTC sanctions and fines, possible fines from the COLLECTING BANK of the CARD BRANDS, reputational loss, etc. They are the big loser here (and their insurance companies).
Conclusion
So we have a situation with many players who may have messed up, and many players who have potential losses. In the most comparable data breach situation, the TJX (TJ Maxx) case, there were rounds upon rounds of litigation, with depositions and discovery, and seemingly endless meetings with lawyers.
The takeaway? The best way to avoid the costs of a breach is to avoid the breach in the first place. That’s why security really really really does have a positive Return of Investment (ROI). We just can’t quantify it. Ask Target.