According to the Federal Trade Commission’s estimates, every year, nearly $50 billion is lost as a result of identity theft and credit card frauds. Last week, consumers in the United States were shocked to hear that a team of computer hackers had hacked into the networks of nine retailers and managed to get more than 40 million credit card numbers. The nine retailers are Boston Market, Forever 21, Office Max, Barnes & Noble, Sports Authority, TJX, BJ’s Wholesale Club, DSW, and Dave & Buster’s.
More than 40 states have laws that require companies to inform their customers when their credit card details are stolen from the stores. These laws were passed to protect the customers. It gives the customers a chance to protect themselves against fraud and identity theft. The companies are required to give an early warning when their credit card data is stolen, allowing customers to act quickly and cancel their credit card or change their password and restrict the losses. The disclosure can be made by letters, emails, and other modes of personal communication with the customer or through public announcements on websites and press releases.
Despite the laws being in effect, only four retailers – TJX, BJ’s Wholesale Club, DSW, and Dave & Buster’s – disclosed the theft to the customers.
There is a reason why companies are reluctant to disclose the theft. Firstly, it is embarrassing – it’s like admitting your data security is not good enough. Secondly, the company will suffer a loss of goodwill. The third reason, which is probably the main reason why companies are reluctant to disclose the theft to the customers, is that such a disclosure can result in their stock prices going down.
One of the companies, Boston Markets, was informed by the authorities way back in 2004 about a potential risk but did not make a disclosure. Another company, Office Max, was notified by a joint federal state probe in 2006 that their system had been breached. Many companies believe that they are obligated to disclose only if there has been a breach and not the threat of potential breach.
Despite this recent news, it is unlikely that companies will in future inform the customers when their credit card data is stolen. Companies believe that the customer, even without being informed, has the opportunity to report fraudulent activities on their credit cards to their credit card companies.
While the government is prosecuting the hackers, some questions remain to be answered. What action is the government planning to take against the companies who failed to disclose the theft to their customers? Aren’t the customers entitled to such disclosures? Don’t the companies have an obligation to provide sufficient security for the credit card date of their customers? Will the companies compensate the customers for the losses they may have suffered because of this theft especially if the losses could have been prevented by timely disclosure?