Three days of hearings on Capitol Hill about the jaw-dropping data breaches at Target Corp. and Neiman Marcus Group Ltd. brought to light one new apology and at least two familiar lessons. The lessons are worth reiterating.
First, there’s fresh evidence that retailers have a hard time admitting when they’ve been hacked. Once they do, they find it hard to tell the whole story.
Target said nothing about the breach until an independent security researcher disclosed it on his blog. In its initial statement, the company said the attack involved 40 million card accounts. Three weeks later, Target revealed that other records affecting 70 million customers had also been stolen. Finally, after repeating “how sorry we are that this happened,” a Target executive divulged that the breach had lasted three days longer than initially admitted. Neiman Marcus has been similarly evasive.
This is the kind of slow-motion, piecemeal response that infuriates consumers. A uniform federal standard mandating how retailers report data breaches, which some in Congress are advocating, would be an improvement over the varying state-by-state disclosure laws now in effect, which can allow companies to investigate for months before announcing anything. On this, most retailers and banks agree.
The second lesson is to speed adoption of smart-chip cards, which have encrypted chips embedded in them and often require a password to use. Consumers in about 80 countries now use the technology, which has been shown to significantly reduce fraud and identity theft, but it hasn’t caught on in the U.S., where most cards still use antiquated magnetic-stripe technology.
Switching to the new cards is a complicated and expensive process that requires cooperation between several parties -- card issuers, banks and merchants -- with conflicting priorities. Merchants don’t want to shell out for new smart-chip terminals, for instance, unless they’re sure that issuers will pay up to produce the cards.
Yet it’s worth it: Although these cards wouldn’t have prevented the data theft at Target, in which malware was installed in registers using a dimly understood process, they would have made using that data to create counterfeit credit cards much harder -- and thus substantially reduced the incentive to try. In the U.K., where smart cards were introduced in 2004, losses from card counterfeiting had declined by 68 percent by 2012.
Merchants and issuers are expected to finally adopt the technology in the U.S. by October 2015. Target, commendably, now plans to accelerate its transition and have the gear in place by early next year. As other retailers watch Target contend with investigations, lawsuits, and the ire of consumers and investors alike, doing the same might start looking cheaper and cheaper.
To contact the senior editor responsible for Bloomberg View’s editorials: David Shipley at firstname.lastname@example.org.