by Korey Clark
A massive breach of credit card account information five years ago was considered a wake-up call for retail businesses and financial services companies around the globe. But while that call appears to have been heeded in much of the world, data breach headlines continue to come at an alarming rate in the United States.
In just the last several months, Neiman Marcus announced it was the victim of a data breach affecting about 1.1 million of its customers; craft retailer Michaels confirmed that a data breach compromised nearly 2.6 million customer accounts; Target Corp. reported that a data breach exposed the credit and debit card information of approximately 40 million customers and the addresses and telephone numbers of about 70 million; and a Vietnamese man confessed in a federal court in New Hampshire that he orchestrated a breach involving a subsidiary of Experian PLC that exposed the social security numbers of as many as 200 million people. Those were far from the first major, publicly reported breaches. T.J. Maxx suffered a breach in 2007 that involved 90 million customers. And an even bigger attack came two years later, when 130 million credit card numbers were stolen from card processor Heartland Payment Systems. Steven M. Elefant, managing director of Soaring Ventures and Heartland's chief security officer when it was breached in 2009, said that incident should have been a wake-up call to retailers and financial institutions that they needed to strengthen their defenses. But a Feb. 18, 2014 report prepared by staff counsel for the California Assembly's Committee on the Judiciary stated: "According to a Javelin Strategy and Research report, credit card fraud has increased 87 percent since 2010, culminating in aggregate losses of $6 billion nationwide. For the year 2013 alone, Verizon [Enterprise Solutions] found that there were more than 600 publicly disclosed data breaches." Such statistics are presumably what prompted Mallory Duncan of the National Retail Federation to declare to a U.S. Senate subcommittee in February that "Data breaches are a fact of life in the United States." But data breaches are a bigger problem here than in other parts of the world. The United States accounts for over 47 percent of global credit card fraud, while accounting for less than 24 percent of global credit card spending, according to the August 2013 issue of The Nilson Report, a credit card industry newsletter. "The U.S. is the only world region where counterfeit fraud continues to rise," said the newsletter's publisher, David Robertson, according to The New York Times. One major reason for that, Robertson added, is the failure of American credit card issuers to embrace smart-chip technology. Over 80 countries have adopted smart-chip cards, which, unlike older magnetic-stripe cards, generate a unique code with each transaction, making stolen data less useful for thieves. As The Times reported, Europe began migrating to smart-chip technology back in 2002, well before the T.J. Maxx or Heartland data breaches. In 2005, liability for credit card fraud was shifted from the card issuers to merchants in cases where the merchants accepted a magnetic-stripe card instead of a smart-chip card. And after peaking in 2008, fraud levels in Europe began to decline, according to research company Euromonitor International. In spite of that fact — and the steady rise of credit card fraud in America — less than 1 percent of credit cards in this country are of the smart-chip variety. "The U.S. is still the only market using these 1960s magnetic-stripe cards," said Paul Kocher, president of Cryptography Research, a company that develops fraud prevention technologies. But outdated credit card technology isn't the only problem with America's credit card system. Security experts say there are also weaknesses in the way credit and debit card payment information travels from retailers to banks. When a retail customer makes a purchase with a credit or debit card, the payment information is transmitted from the retailer's store terminal through its network to the issuing bank and credit card company. And most retailers still transmit that information in plain text without encryption. "At every hop it could be vulnerable," Cryptography Research's Kocher told The Times. "There have been attacks at every stop along the way." Even in cases where the purchase data is encrypted, there are other weak spots for thieves to exploit. "Cash registers used to be just cash registers," Dan Kaminsky, chief scientist at security consulting company White Ops, said to The Times, adding that today's point-of-sale (POS) devices are basically computers that are as vulnerable to hacking as PCs. According to a report this year by Verizon, the most popular form of POS attack involves the use of "RAM-scraping" malware, which captures payment data while it's still being processed in memory and hasn't yet been encrypted. Retail and financial services aren't the only industries vulnerable to data breaches. Verizon's 2014 Data Breach Investigations Report (DBIR) examines the risks faced by numerous others, including insurance, hotels, restaurants, utilities, manufacturing and mining. And all of those industries don't face the same risks. While POS intrusions are the main threat for retail businesses, for example, manufacturing and mining companies are more at risk of cyber espionage from other countries. "It's a complex landscape and you can't take a top 10 list and say that everyone defend against the same things," Jay Jacobs, Verizon senior analyst and DBIR co-author, told ZDNet. "There's a risk grid by industry." The risks haven't gone unnoticed by state lawmakers. At least 19 states have introduced data-breach legislation this year, and 23 did so last year, according to the National Conference of State Legislatures. And every state but three — Alabama, New Mexico and South Dakota — has enacted at least one data-breach law. But most of those introduced measures and enacted laws focus mainly on requiring public notification of data breaches, leaving other data-security issues unaddressed. However, last month, in addition to enacting a data-breach notification bill (HB 232), Kentucky also enacted a measure (HB 5) requiring public agencies that deal with personal information to "implement, maintain and update security procedures and practices, including taking any appropriate corrective action, to protect and safeguard against security breaches," according to LexisNexis State Net's legislative database. That database also shows that California Assembly Speaker John A. Perez (D) introduced a bill (AB 2200) in February that would create a "Cybersecurity Commission" to develop "cyber-attack response strategies." "The State of California's growing dependence on technology has made it increasingly vulnerable to both foreign and domestic cyber security attacks," the bill states. "Thus far, there has been a fragmented approach to this issue.... For the purposes of public safety and protection of public assets, the state has a role in coordinating and improving its overall security and response capabilities." The major credit card companies, including Visa and MasterCard, are addressing one critical data-security issue themselves. They've set October 2015 as the date when U.S. merchants will be subject to new smart-chip card standards and they will become liable for fraudulent magnetic-stripe transactions. But with individual credit card numbers fetching up to $45 apiece on the black market and even the most cutting-edge security not completely impervious to hacking, according to security experts, breaches aren't likely to end any time soon. "It's a game of cat and mouse," said Heartland's former security chief, Elefant. "We're dealing with sophisticated bad guys that have many ways to attack."
States continue to focus on data security
At least 19 states have introduced and two states have enacted security-breach legislation in 2014, after 23 states introduced and eight states enacted such legislation last year, according to the National Conference of State Legislatures. Most of the measures would make amendments to existing data-security laws. But Kentucky enacted its first data-breach measures (HB 5 and HB 232), leaving just three states — Alabama, New Mexico and South Dakota — that have not enacted such laws.
The above article is provided by the State Net Capitol Journal. State Net is the nation's leading source of state legislative and regulatory content for all states within the United States. State Net daily monitors every bill in all 50 states, the District of Columbia and the United States Congress - as well as every state agency regulation. Virtually all of the information about individual bills and their progress through legislatures is online within 24 hours of public availability.
To subscribe to the Capitol Journal and access archived issue go to the State Net Capitol Journal
If you are a lexis.com subscriber, you can access State Net Bill Tracking, State Net Full Text of Bills, or State Net Regulatory Text. If you are interested in learning more about State Net, contact us.
For more information about LexisNexis products and solutions, please connect with us through our corporate site. privacy