Data Breach: A 21st Century Consumer Problem

ATTORNEY: MARK B. GOLDSTEIN
POMERANTZ MONITOR, JULY/AUGUST 2014

Pomerantz is representing a class of Target customers who were victimized by a widely-publicized hacking incident late last year. Thieves were able to sneak into customer data files maintained by the company and steal 40 million credit and debit cards numbers and 70 million customer records. Target announced the breach last December and said that consumers who shopped at Target between November 27 and December 15, 2013 were victimized. 

Since then there have been many similar breaches at other companies, including Sally Beauty, Michaels Crafts, and the popular Chinese restaurant chain P.F. Chang’s. Typically, thieves steal card data by hacking into cash registers at retail locations and installing malware that covertly records data when consumers swipe credit and debit cards through the machines. Often, the perpetrators re-encode the data onto new counterfeit cards and use them to buy expensive goods that can be resold for cash. Since last year, the cost of data breaches have risen on average 15%, to $3.5 billion. 

In response, consumers have filed class actions against the companies whose data bases were breached. Consumers and banks have filed more than 90 cases against Target, most of which allege that Target negligent¬ly failed to implement and maintain reasonable security procedures to protect customer data and that it knew, or should have known, about the security vulnerabilities when dealing with sensitive personal information. The cases also allege that Target did not alert customers quickly enough after learning of the security issue. Target did not disclose the data breach until weeks after it was announced by a security blogger. Then, Target revealed weeks later that even more customers were affected than originally announced. 

More recently, consumers sued P.F. Chang’s, alleging that it “failed to comply with security standards and allowed their customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the security breach that occurred.” The complaint claims that P.F. Chang’s failed to disclose the extent of the security breach and notify its affected customers in a timely manner. 

Data breach lawsuits are a relatively new phenomenon, so there is new law to be made here. There are practices that can cut down on these breaches. Most notably, since the Target breach, there has been much discussion of adopting the European-style “chip and pin” credit cards, whose information is more difficult to hack. These cards use a computer chip embedded in the smartcard, and a personal identification number that must be supplied by the customer. The benefit of the chip and pin system is that cloning of the chip (i.e. reproducing it on a counterfeit card) is not feasible. Only the magnetic stripe can be copied, and a copied card cannot be used on a PIN terminal. The switch to chip and pin credit cards in Europe has cut down theft dramatically. France has cut card fraud by more than 80% since its introduction in 1992. Chip and pin cards are yet to be adopted universally by American vendors. 

In the meantime, consumers should be vigilant with their credit card use, and frequently check their credit card statements. Additionally, consumers subject to data breach should act immediately and cancel their credit cards to limit their vulnerability.