Retailers Can Wait To Tell You Your Card Data Have Been Compromised

Jan 23, 2014
Originally published on January 24, 2014 3:32 pm

You might think that retailers have to let you know right away if they get hacked and someone steals your account information.

But recent disclosures by Target and Neiman Marcus that their networks were hacked, and data about their consumers were stolen, have raised questions about how quickly merchants need to alert their customers.

In the case of Neiman Marcus, the company may have had evidence of a breach as far back as July. But the law is a bit murky on just how quickly companies need to let customers know.

"This is much more complex than what you might think," says Peter Guffin, an attorney who specializes in privacy and data. He says there's a patchwork quilt of laws that make these disclosure rules complex.

"You've got 46 states, I believe, at last count who actually have their own notions of data breach notification," he says.

States vary in how much they require retailers to inform consumers about breaches. Some states say companies don't have to alert consumers unless there is a real "risk of harm." Guffin says the only place they tend to agree is that "most states want you to be notifying affected individuals as expeditiously as reasonably possible."

But consumer advocates point to a big exception to this rule that gives companies a lot of room.

"If there's a law enforcement investigation going on or if a disclosure about a data breach could impede a law enforcement investigation, then companies don't have to inform consumers of the breach immediately," says Jamie Court of the advocacy group Consumer Watchdog.

Court says companies can use an ongoing investigation as a reason to delay when they fear it will have a negative impact on their bottom line. He suspects that Target and Neiman Marcus may have delayed notifying customers about recent security breaches.

"It happened during the Christmas buying season," Court says. "And we just can't be sure until law enforcement tells us when the companies knew about the breach and whether they delayed the information getting to the American people."

Several state attorneys general are investigating the breaches, and in many cases, they look into the timing of the disclosure as part of the overall investigation.

In emails, spokespeople for Neiman Marcus and Target say they are confident that they are meeting all legal notification requirements.

Privacy and data security attorney Guffin says there are some good reasons companies don't send out notifications the minute they see signs of a security breach.

"You might discover today a so-called breach," he says. "But's it's gonna usually take a fair amount of time to do a proper investigation to figure out what happened."

However, Guffin says there are powerful economic incentives to keep the breach quiet for as long as possible. A report by the Ponemon Institute, which does research on security issues, compared the costs to companies that alerted customers quickly and those that didn't.

"Quick responders paid significantly more than companies that moved a little bit more deliberatively in terms of their responding," Guffin says. Factors such as sending out more notifications than necessary, false alarms and harm to reputation raised the cost, he says.

Consumer advocates are aiming to make the cost of withholding information higher. Court thinks it's too hard for consumers to sue companies for damages.

"Your privacy doesn't have a monetary value and under almost every law that I know of there's no way to sue to make the company pay a price for not being forthcoming enough in a timely way," he says.

Both Court and Guffin say there should be one federal law that governs notification to consumers of security breaches. They say the current patchwork of laws raises the cost and aggravation for everyone.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

MELISSA BLOCK, HOST:

This is ALL THINGS CONSIDERED from NPR News. I'm Melissa Block.

ROBERT SIEGEL, HOST:

And I'm Robert Siegel.

When a retailer's computers are hacked and consumer information is stolen, how fast should a company let its customers know? Well, hacking at Target and Neiman Marcus has thrown a spotlight on that question. Millions of credit card numbers were stolen from both companies. In the case of Neiman Marcus, the breach went back as far as July. The company says it didn't detect any trouble until mid-December, and it didn't tell customers until January 10th.

NPR's Laura Sydell reports that the law on this is murky.

LAURA SYDELL, BYLINE: You'd think that if your credit card info and all that other information you shared with a retailer got stolen, the business would let you know ASAP.

PETER GUFFIN: This is much more complex than what you might think.

SYDELL: Peter Guffin, an attorney who specializes in privacy and data security, says there's a patchwork quilt of laws.

GUFFIN: You've got 46 states - I believe, at last count - who actually have their own notions of data breach notification.

SYDELL: Guffin says the states vary about how much the retailer has to let you know about the breach, exactly when they have to tell you. Some states say companies don't have to alert consumers unless there is a real risk of harm. Guffin says the only place they tend to agree.

GUFFIN: Most states want you to be notifying affected individuals as expeditiously as reasonably possible.

SYDELL: But - and there is a but - consumer advocates point to a big exception to this rule that gives companies a lot of room. Jamie Court is with the advocacy group Consumer Watchdog.

JAMIE COURT: If there's a law enforcement investigation going on or if a disclosure about a data breach could impede a law enforcement investigation, then companies don't have to inform consumers of the breach immediately.

SYDELL: Court says companies can use an ongoing investigation as a reason to delay when they fear it will have a negative impact on their bottom-line. He's been suspicious that Target and Neiman Marcus may have delayed notifying customers about recent security breaches.

COURT: It happened during the Christmas buying season. And we just can't be sure until law enforcement tells us when the companies knew about the breach and whether they delayed the information getting to the American people.

SYDELL: In emails, spokespeople for Neiman Marcus and Target say they are confident that they are meeting all legal notification requirements.

Privacy and data security attorney Guffin says there are some good reasons companies don't send out notifications the minute they see signs of a security breach.

GUFFIN: You might discover today a so-called breach. But it's going to usually take a fair amount of time to do a proper investigation to figure out what happened.

SYDELL: However, Guffin admits there are powerful economic incentives to keep the breach quiet for as long as possible. A report by the Ponemon Institute, which does research on security issues, looked at the cost to companies that alerted customers quickly and those that didn't.

GUFFIN: Quick responders paid significantly more than companies that moved a little bit more deliberatively, in terms of their responding.

SYDELL: Guffin says factors like sending out more notifications than necessary, false alarms and harm to reputation raised the cost. Consumer advocates, like Jamie Court, are aiming to make the price of withholding information higher. He thinks it's too hard for consumers to sue companies for damages.

COURT: Your privacy doesn't have a monetary value and under almost every law that I know of there's no way to sue to make the company pay a price for not being forthcoming enough in a timely way.

SYDELL: Both Court and Guffin think the federal government should make one law governing notification to consumers of security breaches. Court and Guffin say the current patchwork just raises the cost and the aggravation for everyone.

Laura Sydell, NPR News. Transcript provided by NPR, Copyright NPR.