The Green Sheet Online Edition
April 26, 2010 • Issue 10:04:02
Retailer wanted breach connection hushed up
Arguing that the revelation of its connection to the Heartland Payment Systems Inc. data breach in 2008 would cause "confusion and alarm," department store chain J.C. Penney Company Inc. tried to keep that news under wraps, according to court documents unsealed in March 2010. The documents were part of the trial of Albert Gonzales, who received a 20-year prison sentence in March for his role in three major hacking cases.
Additionally, the clothing and jewelry retailer said that forcing the company to reveal its connection to the breach would set a bad precedent and cause retailers in similar situations to not report data breaches of their networks.
Disclosure of J.C. Penney's connection to the Heartland matter "may discourage other victims of cyber crimes to report the criminal activity or cooperate with enforcement officials for fear of the retribution and reputational damage that may arise from a policy of disclosure as espoused by the government in this case," argued retailer's attorneys.
The judge in the case, which was held in the U.S. District Court for the District of Massachusetts, eventually ruled in favor of disclosure. Until that time, J.C. Penney had been referred to in court documents as "Company A." In arguing for disclosure, U.S. prosecutors contended that consumers are entitled to know when their card information is compromised.
Consumer protection wins out
Bankcard industry attorney Paul Rianda said that, while there is merit to J.C. Penney's contention, the court decision was correct in boiling the issue down to one of consumer protection.
"It's very difficult because Visa and MasterCard rules impose this duty on the merchant that when any third party is breached, be it a payment gateway or processor, it's the merchant's problem in addition to the party that's breached," Rianda said. "It's a little unfair to the merchant, but I don't know there's a better solution out there because you're trying to protect consumers, and how can you do that if you don't disclose this information?
"The end result is that, for customers that are potentially going to have information compromised, it seems to me something that I as a consumer would want to know about," he added. "I don't know necessarily that it's in the best interest of J.C. Penney, but it seems to be in the interest of their customers to get that information out."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.