A Breached Chain Needs To Remember Its Shoppers Are Victims, Too

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

When a cyberthief breaks into a retailer’s network and steals data and payment card specs, the retailer absolutely is a victim. But many chains tend to think of themselves as the only victim, an attitude that manifests itself in various ways when talking with their customers who are also victims. Just because a shopper’s monetary losses are being covered by zero liability doesn’t make them feel less violated and, therefore, feel any less like a victim.

When setting policies and when talking with shoppers after a breach, communicating the message that the retailer is the only victim may prove to be self-fulfilling, as you'll quite likely be an imminent victim of lost revenue and thrown-away loyalty. When a crime has been committed, attitude and empathy go a long way — and they are among the hardest things for many chains to deliver.

A recent column touched on an incident where my wife’s Discover credit card number was stolen and used fraudulently to purchase, among other things, a bunch of Walmart (NYSE:WMT) gift cards. Seeing the exercise as a simple "cost of doing business," Walmart initially refused to give me basic information about the thief – like what he/she bought, where the gift cards were purchased, whether and how they were redeemed, etc., because of their desire to protect the rights of the thief. Well, Walmart reversed itself and agreed to provide this information. Sort of. Actually, I never did get the information from Walmart. Well, not yet. But company representatives did contact me and were actually quite helpful (for the most part). There are many lessons to be learned from the incident, including the need to protect data, the need to respond to customers and the fear of litigation. But most important is the need for retailers to do a better job of aligning themselves with their customers, particularly when there has been a data breach or an attack.

When there is a point-of-sale data breach from a small merchant, and a customer’s credit card number is obtained and used fraudulently at a large merchant’s store, there are many possible "victims" of this crime. From a legal standpoint, the consumer has, at most, very limited liability for the unauthorized transactions (depending on the payment method), but bears the brunt of having to notice the unauthorized charges, contact the issuing bank, chargeback the unauthorized charges, obtain new credit cards, create all new linked accounts for automatic or stored payments, and potentially obtain and review credit reports and initiate credit freezes (or suffer the consequences of such freezes).

In the worst-case scenario, the consumer may also find themselves the victim of genuine identity theft – where bad guys assume the consumers’ persona for employment, credit or other purposes. It’s a huge mess for the consumer, who is looking for someone to blame – and possibly someone to sue.The initial merchant whose POS terminal may have been hacked also sees itself as the "victim." After all, someone broke into the store , stole valuable data, and used it fraudulently. The merchant may or may not have secured the POS terminal properly, but in most cases relied on the POS vendor to have delivered what they thought they had purchased: a PCI-compliant POS terminal. Merchants also bear the costs of remediation, notification, compliance and fines.

The POS vendor sees itself as the "victim" because its terminal was attacked by bad guys, and the attack may have been precipitated or enabled by an unwitting merchant who improperly failed to remove, say, default passwords from the POS terminal, or failed to configure it in a PCI-complaint manner. So the POS vendor cries foul.

The cardmember’s issuing bank sees itself as the victim, as it is at least initially stuck with the chargebacks from the large store and seeks to recover these funds from someone. The cardmember’s bank also bears the costs of processing the chargebacks, re-issuing the credit cards and conducting the fraud investigation.

The large merchant also sees itself as the victim. Someone came to the store (or website) with a stolen credit card and walked off with a bunch of gift cards or an LCD TV.

The recipient of the gift card may also see themselves as a victim, especially if the gift card is payment for some other debt or obligation. If the gift cards are canceled or revoked, the recipient may be out money as well.

So we have lots of people and institutions crying foul, and a consumer looking for someone to blame.

This is where the law and reality diverge somewhat. The law places liability on the party that was "negligent" or that breached a contract (the PCI DSS agreement), which in this case is likely the initial merchant. But the consumer may or may not blame that particular merchant – especially if that merchant is a small merchant with whom the consumer has a personal relationship (the local bookstore, the hardware store, the doctor’s office, the corner deli.) No, the consumer may blame the cardbrand or issuer, or the big-box store (Walmart, are you listening?) for furthering or facilitating the crime against the consumer.

And this is where merchants can fight back with a well-managed incident response plan which includes Open Source Monitoring (OSM), fraud detection and response, public relations and consumer affairs, and trained customer service representatives who see their job as protecting the customer.The goal here is to make sure that the customer sees the merchant as their ally in pursuing the actual criminal, and to promote a unity of interest between the customer and the merchant. Otherwise, the consumer is likely to see the merchant as the bad guy. And that’s what Walmart tried to do – the second time around.

Within hours of the article appearing on the site, Walmart officials contacted the editor to ask if it was OK for them to contact me. I was, of course, expecting armed thugs from Bentonville, Ark., to come after me. Instead, I got a very pleasant phone call from someone in the retailer’s PR and emergency response center (with a charming smile on their website), to help me though the process. Irrespective of what happened next, Walmart both gets major kudos for following up, and teaches a lesson to other retailers about not only customer complaints or comments, but also, more importantly, threat management.

Reviewing media reports is also a wise move. This can and should be done as part of a comprehensive OSM or "Open Source Monitoring" project that seeks out relevant information about your company, your brand, your executives, your industry and your customers. This can provide early warning about customer dissatisfaction, identify potential threats to your company’s image or reputation, and respond to media inquiries and other PR-type problems. But more deeply, an effective OSM project can alert companies to the use or misuse of company trademarks and copyrighted materials, to potential insider threats (e.g, employees offering up trade secrets to competitions), potential disgruntled employees seeking "technical assistance" on how to screw up infrastructure, and other threats and vulnerabilities. Companies can monitor (or pay others to monitor) hacker and carder boards to see whether their gift, affinity or branded credit cards show up on these boards, whether personal information about their customers leaked from their infrastructure is exposed, or even whether they are a "common point of purchase" for potential credit card or identity fraud long before the card brands alert them. OSM programs, if done right, are an early warning system.

The OSM program can also include social media sites like Twitter and Facebook, where people may share horror stories about maltreatment or other problems with retailers, often accompanied by a hashtag with a suffix "sucks," as in #unitedairlinessucks. This allows the retailer to have a charming PR person with a perfect smile call the disgruntled customer with real information and solutions, and hopefully encourage a new hashtag to follow.

Remember, the original article was about consumer disempowerment: how a victim of credit card fraud (me) not only felt powerless, but also felt that a large retailer didn’t take his complaints seriously. The issue was one of inclusion, not just process.

There’s a story about the Duncan Heinz company, which introduced a powdered cake mix in 1952. After World War II, companies had already developed powdered eggs, powdered sugar and powdered milk, and they had cake mixes where the cook only had to add water. They met with limited success. Arlee Andre, a chemist for Duncan Heinz, removed the powdered egg and implored the cook to add her own "fresh" eggs to the mix.

Not only did this result in a better cake, it made the cook feel that she was actually cooking, and cooking something healthy (after all, it had eggs in it!). The concept of involving the customer in the process, and making sure they know they are involved, is an important component of any incident response program.

The same is true for data breaches or other potential fraud. Too often companies that experience a data breach simply send out what I call the "Otter" letter, from the movie “Animal House” where Tim Matheson’s Otter tells Stephen Furst’s Flounder, "You F#*(ed up, you trusted us…" This is what too many merchants tell their customers about the customers’ personal information. While many customers simply expect the merchant to fix the problem, some are interested in the process (how was my data breached, how can I help prevent it in the future). Involving the customer puts the merchant and the customer on the same side of the issue (WE want to get the bad guys) as opposed to making the merchant the bad guy (YOU screwed up my data…).

As an aside, this was not the first time I have been a victim of ID fraud or theft. Years ago someone obtained my personal information from a Giant Food loyalty card program in Landover, Md., and used this information to apply for a Citigroup mortgage on a house in Landover. I was alerted by the bank, which then refused to tell me the address of the house I supposedly bought.

Bad customer service – and again, designed to protect the hacker. I ran a credit report on myself, which prominently featured my "new" address. I contacted the USPS and put in a change-of-address form for any mail sent to my Landover address to be forwarded to my real address (and fixed my credit report). Of course, this should have been done by the bank and by Giant Foods, or at a minimum they should not have thwarted my efforts.

Within days, I was receiving credit card applications (and actual credit cards) sent to my new Landover address. This lasted for several months. Similarly, I was called by my credit card issuer and informed that my card was just used for a small purchase somewhere in rural North Carolina. Kudos! That’s how it’s supposed to work. When I told them it wasn’t me, they were prepared to cancel and reissue the card. I asked that they wait a few hours, and they obliged. The bank told me the name and address of the merchant where the card was issued, and I used the Google machine to find the phone number of the merchant and the local sheriff’s department.

With the bank still on the line, I hooked all three together to generate a police investigation. While I was on the phone, the carder used the card again at a gas station a few miles down the road (different police department, different county). This generated a few more calls and a video of the purchaser buying gas with my (fake) card. Again, the bank should have done this, not me, but even so, they at least were willing to help ME investigate. Empowerment!

The Walmart response wasn’t perfect. The nice lady with the perfect smile couldn’t initially find the fraudulent transactions in the CRM system (and I don’t know if she ever found them). She emailed me a fraud complaint form which, if I really filled it out, would have required me to report the "crime" to some unidentified police department, get a police report number, provide it to Walmart together with my notarized affidavit transmitted under penalty of perjury with a host of other personal information, and then fax that back to the merchant.

Way too much hassle (and sharing) just to charge back what everyone agreed were fraudulent purchases, which had already been charged back. That’s an example of a "one size doesn’t fit all" antifraud solution. But the charming woman with the perfect smile didn’t actually expect me to drive down to the local constabulary and then find a notary public.

All she really wanted was the last four numbers of the stolen credit card number. Oh, and I never DID find out how the credit card number was used or how the gift cards were redeemed, but I did feel that the merchant was, in fact, looking into it and might – just might – let me know if they found anything. And in the end, with no liability for the unauthorized purchases, that’s what I really wanted. Now let’s see if Giant Foods, Citigroup, Discover Card or United Airlines read this and contact me. This is just a test.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.