A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

July 25, 2011 • Issue 11:07:02

Michaels breach reveals gray areas

By Nicholas Cucci
Network Merchants Inc.

When Michaels Stores Inc. reported a tampering scheme involving POS pads used to key in customer personal identification numbers, it was initially thought to be isolated to select stores in the Chicago vicinity. However, upon further investigation it was discovered that nearly 90 stores in 20 states from Rhode Island to Washington were ultimately impacted by the data breach.

Michaels learned of the breach in May 2011, when it was notified about possible debit card fraud related to several of its stores in the Chicago area. It was later confirmed that Payment Application Data Security Standard certified PIN pads deployed in Michaels' stores were swapped out for pads equipped to skim card data. Cards may have been skimmed as far back as December 2010. As a precautionary measure, Michaels removed about 7,200 PIN pads from 964 of its U.S. stores and replaced them two weeks later.

Several Chicago area banks responded by freezing customer bank accounts potentially exposed in the breach. Marquette Bank, which operates 24 branch locations in the Chicago region, told the Chicago Tribune about 1,900 bank customers were potential victims of the fraud scheme. Chicago Credit Union also posted a website notice instructing members to report any fraudulent ATM activity related to their accounts and originating in California, where illegal card activity had been reported.

In the aftermath of the Michaels breach, police in Beaverton, Ore., enlisted the public's help in identifying four suspects who were caught on camera using fake, or white, cards created from card data skimmed at Michaels' stores. The suspects are believed to be from a larger crime organization, involving multiple crews working in numerous geographical regions and moving quickly. No arrests have been made in the case, which is under investigation by the U.S. Secret Service.

Patchwork of state laws problematic

With the recent surge in data breach incidents, inconsistencies in state laws pose a challenge for retailers seeking to implement a universal plan for their operations. Curious about the variations that exist in state laws governing breaches, I set out to answer the following questions:

What are some of the state laws governing merchant data breaches? What is an acceptable time frame for breach notification? What penalties, if any, exist for failure to disclose breaches? What types of incidents are exempt from notification requirements? Below is a summary of current data breach laws in the four states I researched:

    California

    Notification: Most expedient time possible, without unreasonable delay
    Penalty:No civil or criminal penalty for failure to promptly disclose; private right of action
    Exemptions: Encrypted data; Publicly available government data; No exemption for immaterial breaches

    Florida

    Notification: Without unreasonable delay, within 45 days for owners of data, 10 days for those who don't own data
    Penalty: Civil or criminal penalty for failure to promptly disclose; no private right of action
    Exemptions: Encrypted data; Publicly available government data; No exemption for immaterial breaches

    Illinois

    Notification: Most expedient time possible, without unreasonable delay
    Penalty: No civil or criminal penalty for failure to promptly disclose; private right of action
    Exemptions: Encrypted data; Redacted/unreadable data; Publicly available government data; No exemption for immaterial breaches

    Indiana

    Notification: Without unreasonable delay; facsimile notice
    Penalty: No civil or criminal penalty for failure to promptly disclose; no private right of action
    Exemptions: Encrypted data; Publicly available government data; Compromised portable electronic device if password to the device has not been compromised; No exemption for immaterial breaches

PCI DSS only a partial solution

Protecting personal data has long been a concern of credit card companies, which have combined resources to form the PCI Security Standards Council, which is concerned with making sure merchants of all stripes are responsible for meeting certain data protection standards.

The standards set forth by the council cover six large principles, and a total of 12 requirements to meet those principles as part of an effective security plan. The six principles are as follows:

  1. Build and maintain a secure network: First, a properly secure network should have a firewall that protects cardholder data, and any default passwords included by the network security vendor must be changed.

  2. Protect cardholder data: Any stored customer data must be protected, along with encrypting said data when it is transmitted across public networks.

  3. Maintain a vulnerability management program: Anti-virus software must be used and kept up-to-date, and secure systems and applications must be developed.

  4. Implement strong access control measures: Not all customer data is available to everyone in the business; instead, access should be controlled on a need-to-know basis. Also, everyone with access to sensitive data must be identified with a unique ID, and physical access to cardholder data must be controlled.

  5. Regularly monitor and test networks: Networks must be properly tested on a regular basis for security and access, and cardholder data access must also be monitored.

  6. Maintain an information security policy: A policy that addresses information security must be maintained at all times.

Time for a national policy

Breach notification laws remain a gray area for the payments industry. Forty-six states have breach notification laws, but the laws across states lack uniformity as well as enforcement.

In 2009, Missouri enacted some of the nation's most stringent data protection measures to date. According to Missouri law, the customer's last name and full first name or first initial, in combination with the Social Security number, driver's license number or any other identifying number (such as credit card, bank account, routing code) and passwords or access codes, must be protected.

If this data is breached, notification must be made in the event that identity theft is deemed a possibility, or violators face a $150,000 fine per incident.

In Illinois, where Michaels' stores were hit hardest by the PIN pad scheme, state notification laws require companies to notify consumers whose personal information has been compromised within a reasonable period. Similarly, in Texas, where Michaels is headquartered, state law requires companies to notify consumers as quickly as possible.

Earlier this year the Obama administration proposed the adoption of a data breach notification policy that would supersede state laws. The federal proposal stated, "The FTC would be responsible for enforcement, along with state attorneys general, who could take civil action against violators. Civil penalties would total up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation, unless such conduct is found to be intentional."

In light of the 20 different sets of state laws the nationwide retailer is obliged to follow, is the Michaels' case one that requires customer notification? Will the actions taken by Michaels be enough to satisfy growing public concern over personal identity and data protection issues?

Finally, should there be a national data breach policy? Have we reached a tipping point where a national policy may be necessary to defend against an increasingly pervasive criminal element? What do you think? end of article

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at ncucci@nmi.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing