Who Really Pays For Weak Retail Security?

As legislation moves through the Massachusetts legislature--and is threatened to be introduced into the U.S. House of Representatives--assigning responsibility for retailers if they have a data breach that is found to be their fault, former federal prosecutor Mark Rasch makes an interesting observation.

While the debate has focused attention on the banking lobby's position that they foot the bill for the losses due to retail errors, he counters that, ironically, it ends up being the retailers--as a group--who pay for retail security violations.

No, we're not talking about retailers having to pay higher card interchange rates to pay for the fraud. That's true, but there's a much more real cost. When a cyberthief steals data from TJX, that thief will quickly try and convert it into spending money, most likely via a fraudulent card-not-present purchase that is quickly converted into cash.

Those fraudulent purchases are usually made at retail locations. When those charges are reversed by the banks, it's the retail victim that often ends up paying for that merchandise. If there was justice in the world, the thief who steals data from TJX would then make fraudulent purchases at TJX, but data thieves?who tend to have a poorly developed sense-of-the-ironic?often make their bad purchases anywhere but the retailer from whom they stole the data.

But wait, this gets even more perverse. If you take the scenario to the next logical step, it means that a TJX would indeed get punished when, let's say, cyber thieves break into the databases of CircuitCity or RiteAid and then use that information to make fake purchases at Marshalls or TJ Maxx.

In an Orwellian twist, a retailer would fare best by comparison as long as every other retailer has a better security setup. Talk about retailers having to pay for the sins of their brothers.