Can existing laws protect consumers after Target breach? - NBC12 - WWBT - Richmond, VA News On Your Side

Can existing laws protect consumers after Target breach?


At least 70 million people are now in the crosshairs of the Target breach. And alarmingly, that number could soar past 100 million.

"It's a game changer," said Mark Pribish, an identity theft expert and vice-president with Merchants Information Solutions, Inc. in Phoenix. "They still don't have a handle on it," he said about the big box retailer's security breach of customers' personal information.

CBS 5 News is asking if there are any protections for consumers, considering potentially a third of American's have now been affected by the hack.

We found laws on the books here in Arizona may not go far enough to protect you. It's not clear yet how many Arizonans have been affected by this breach, but the number could be huge. Arizona Federal Credit Union reports 20 percent, or 20,000 of its 100,000 total card holders had their personal information stolen due to the Target breach.

"The "Arizona" law is one of 46 state breach-notification laws in the U.S.," Pribish said in referring to Arizona civil statute 44-7501. But as we discovered, that statute only requires that a business notify people affected by a breach. "The requirements are minimal," Pribish added.

He says times have changed, and so have data breaches. Arizona's law needs an update, he says.

Pribish, and some politicians alike, suggest there be "...some information security and governance requirements standards for all business regardless of the size of the business," Pribish said.

That's actually the aim of legislation re-introduced in the U.S. Senate just this past Wednesday.
The Personal Data Privacy and Security Act was first proposed in 2005.

"Since that time, it's been proposed virtually every year, and each year, to be polite, there's a watered down version," Pribish said.

It calls for businesses to have a detailed security program. But it also allows for states and the Federal Trade Commission to levy legal action, including fines, against companies liable for data breaches.

"You could be fined up to $500,000 per incident for each data breach event," Pribish explained.

But Ken Colburn with Data Doctors says those "standards" may be a bit futile.

"There's already requirements as a retailer for anybody that's taking credit cards, to comply with the processing card industry requirements," Colburn said.

He points to a more frightening risk not addressed in either PDPSA bill or Arizona's current legislation.

As Colburn put it, "The human on the inside of a system has always been the number one security risk."

The cost of a breach to you, the consumer, could be high. And to companies too. A computer software security company called Symantec found the cost of detection and notification of a breach could cost $188 per customer. If 70 million Target customers are at risk, the breach could cost Target $1.3 billion.

Copyright 2014 CBS 5 (KPHO Broadcasting Corporation). All rights reserved.

Powered by Frankly