During A Data Breach, Customers Will Stay—Unless You Alienate Them One At A Time

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

With all of the legal wrangling in the wake of the Hannaford data-breach appellate decision over who has to pay for what "damages" or "loss," and to whom, one thing is lost. With today's breach-apathetic American consumers, a multibillion-dollar breach will not likely cause merchants to lose any customers. When one of those impacted customers calls and asks for a replacement card and you say "$20, please," that's when you'll lose that customer.

The appellate decision clarified the legal environment, but it merely said what self-interested chains should have been doing all along. From a merchant, vendor, supplier or technology consultants' standpoint, the goals remain the same: Prevent the breach in the first place, and do what is reasonably necessary to control or mitigate the harm if a breach occurs.

The Hannaford court seemed to imply that what is "reasonable" depends on the nature and extent of the breach, the type of data subject to the breach, and what the bad guys do or could do with this data. In the long run, merchants suffering from data breaches need to step up to the plate and do the right thing, not simply because the law requires it (which it probably does) or because investors or consumers will punish them if they don't (which they probably won't) but mainly because doing the right thing ultimately protects their bottom line. Doing right by customers is both good business and good customer relations.

Forty-six states and several federal agencies have laws that mandate some form of data-breach disclosure in the event of a cyberattack. These laws have typically been perceived by merchants and companies as either a nuisance (I can't believe we have to go to the expense of notifying customers), as punishment (hey, we are the victim here, why do we have to "fall on our swords?") or as an encouragement to provide better security (if you know you have to disclose a breach, you are more likely to try to avoid one). As a result of these laws, merchants typically have to send out what I affectionately call "Otter Letters." In the movie Animal House, Tim Matheson's Eric "Otter" Stratton consoles Stephen Fursts' Kent Dorfman after the fraternity brothers borrowed and destroyed Dorfman's brother's car with these words of sympathy: "You f---ed up; you trusted us." Such is the tenor of many letters to consumers who suffer a breach, "Dear valuable customer. You f---ed up; you trusted us."

The Hannaford case points out the true purpose of data-breach disclosure laws—to ultimately protect the merchant. Data-breach disclosure, credit-fraud watches, credit freezes and reissuances of credit cards are designed to prevent further harm in the event of certain types of data breaches. By alerting customers of the possibility of an identity fraud or identity theft, the merchant is enlisting their help in preventing such fraud by taking reasonable steps that can include things such as, say, actually looking at your credit-card bill for unauthorized charges or cancelling a potentially compromised card.It is far cheaper to get a new card than to reimburse someone for a 70-inch, high-definition, 1080p, 3D-capable LED TV with surround sound bought with a compromised credit-card number. These "costs" are called reasonable mitigation costs.

In the Hannaford case, the merchant sought to have the court declare that the chain was not legally responsible for these costs. Sure, Hannaford reasoned, if your card number was actually used as a result of the compromise, it might have to reimburse. But the chain argued that the mitigation costs were too speculative, citing other cases where, for example, a data tape or laptop was lost and the court did not force the company losing the tape or machine to pay for credit-watch services for the thousands or millions of people whose names might have appeared on those lost tapes.

The Hannaford federal court correctly pointed out that what might be reasonable mitigation when there is a mere remote possibility of an identity fraud or identity theft is not the same as what is reasonable mitigation when there has been an actual theft of identity information by hackers who have used this type of information to commit identity theft and credit-card fraud. In such cases, card reissuance and credit-watch lists are perfectly reasonable and, therefore, should be compensated by the allegedly negligent merchant.

Hannaford won most issues in the case when the court ruled that the chain had no special "duty" to protect consumer data under Maine law and that many non-economic damages (e.g., not lost money) could not be recovered under the language of Maine's consumer-protection statute. Hannaford also won when the court ruled that these speculative and remote losses (like anxiety over possible future fraud) could not be recovered under Maine law, which requires a person suing for consumer fraud to suffer a "loss of money or property."

But even on the issue on which Hannaford "lost"—the issue of mitigation damages—it ultimately won by losing. Merchants need to understand that the "Otter Letter" is not a viable strategy for customer retention. It's not a good idea to tell consumers, whose only problem is that they trusted you with their credit-card number, that they—not you—have to pay the reasonable costs of getting a new card. A better approach is to honestly tell them whether you think card cancellation or replacement or fraud-watch lists are appropriate in light of the nature of the breach. If it is a data tape sitting on a UPS truck somewhere in Des Moines, Iowa, with a bad tracking number, cancellation is unreasonable and overkill. In the Hannaford case, I probably would have cancelled my card, wouldn't you?

To the extent the case mandates that merchants treat their customers right, the case should be unsurprising. For this we needed teams of lawyers?

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.