BJs, Heartland Got Off the Hook Legally, but Lost in the Court of Public Opinion
By: Chuck Crawford
On December 11, the Massachusetts Supreme Court dismissed a class action suit by dozens of credit unions against BJ’s Wholesale Club. BJ’s, based in Framingham, MA, has more than 8 million consumer shopping club members. The plaintiffs were claiming substantial damages after more than 8 million of its credit cardholder records were compromised in 2004. They maintained that BJ’s was negligent in not adequately safeguarding customer credit card data.
Two weeks before the BJ’s decision, a New Jersey district court judge summarily dismissed a class action suit by shareholders and others against Heartland Payment Systems, Inc. Heartland is a NYSE-listed provider of merchant credit card processing that had as many as 130 million credit card records compromised in late 2008 – making incident the largest credit card data breach in history. The complaint claimed that Heartland had publicly misrepresented the level of its data security diligence leading up to the incident and should have done more to prevent the exposure of data.
The dismissals appear to be based largely upon narrow legal arguments, such as whether the plaintiffs had proper standing to bring such an action, and whether tangible damages could be proven. In both decisions the courts concluded that, despite their loss of data, the companies had not publicly misrepresented their level of diligence in protecting cardholder data entrusted to them.
While the courts’ actions were decisive legal victories, and set precedents in the tort community foretelling that such class actions claiming extraordinary damages from breaches might not be so easy to prove in the future, otherwise the litigations were somewhat anti-climatic and beside the point.
In the higher court of public opinion, BJ’s and Heartland, TJX, Hannaford Brothers Supermarkets and the dozen other major credit card breach targets of the past decade already had been sentenced to a lost measure of hard-earned brand reputation from the moment their breaches were disclosed. The degree to which the public trust dissipates when there is a breach varies depending upon the size of the breach, the nature of the business and the deftness of each company’s response to the crisis. Are these companies cast as victims of a crime, or – by lax security misfeasance – unwitting accomplices?
A company’s reputation has a value far beyond quantitative dollar damages. That is why, especially, merchants that trade on trust– such as insurance companies, banks, lenders and other payment services – are often looking beyond the arguable validation of safety that comes with Payment Card Industry Data Security Standards compliance. Instead, they are more concerned about finding a virtually fool-proof way to prevent a data compromise whether or not it is beyond the PCI guidelines.
As long as cardholder data remains in the merchants system in any form, encrypted or not, there is some chance of accidental or malicious data compromise, especially when the data, or the decryption codes to the data, are “in motion” traveling between servers, databases and parties.
On the other hand, tokenization, like EPX’s patent-pending BuyerWall™ suite of card data replacement code technologies, offers merchants as close to absolute reputation protection as is possible today. With BuyerWall, at-risk card numbers never reside in a merchant’s IT systems in the first place; there is nothing of value to be lost or stolen. At-risk cardholder data is substituted with BuyerWall ‘BRIC” transaction reference codes. BRIC codes (sometimes referred to as “tokens”). BRICs are safer than encryptions because they i) are not derived from credit card numbers and ii) the original data is not kept in the merchant’s environment. The sensitive card data is vaulted safely in EPX’s ultra-secure environment – subject to the most rigorous PCI external auditing and other requirements.
As it happens, elimination of card data through tokenization also greatly simplifies PCI compliance and remediation by taking most of a merchant’s card data topography effectively ‘out of scope.’ But, for the many merchants focused on brand risk more than arbitrary rules or security costs, it is the near certainty of data security that can come the absence of card data that gives C-level executives and directors one less surprise to worry about at night.
This entry was posted
on Tuesday, December 22nd, 2009 at 4:19 pm and is filed under EPX Commentary.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
BJs, Heartland Got Off the Hook Legally, but Lost in the Court of Public Opinion
By: Chuck Crawford
On December 11, the Massachusetts Supreme Court dismissed a class action suit by dozens of credit unions against BJ’s Wholesale Club. BJ’s, based in Framingham, MA, has more than 8 million consumer shopping club members. The plaintiffs were claiming substantial damages after more than 8 million of its credit cardholder records were compromised in 2004. They maintained that BJ’s was negligent in not adequately safeguarding customer credit card data.
Two weeks before the BJ’s decision, a New Jersey district court judge summarily dismissed a class action suit by shareholders and others against Heartland Payment Systems, Inc. Heartland is a NYSE-listed provider of merchant credit card processing that had as many as 130 million credit card records compromised in late 2008 – making incident the largest credit card data breach in history. The complaint claimed that Heartland had publicly misrepresented the level of its data security diligence leading up to the incident and should have done more to prevent the exposure of data.
The dismissals appear to be based largely upon narrow legal arguments, such as whether the plaintiffs had proper standing to bring such an action, and whether tangible damages could be proven. In both decisions the courts concluded that, despite their loss of data, the companies had not publicly misrepresented their level of diligence in protecting cardholder data entrusted to them.
While the courts’ actions were decisive legal victories, and set precedents in the tort community foretelling that such class actions claiming extraordinary damages from breaches might not be so easy to prove in the future, otherwise the litigations were somewhat anti-climatic and beside the point.
In the higher court of public opinion, BJ’s and Heartland, TJX, Hannaford Brothers Supermarkets and the dozen other major credit card breach targets of the past decade already had been sentenced to a lost measure of hard-earned brand reputation from the moment their breaches were disclosed. The degree to which the public trust dissipates when there is a breach varies depending upon the size of the breach, the nature of the business and the deftness of each company’s response to the crisis. Are these companies cast as victims of a crime, or – by lax security misfeasance – unwitting accomplices?
A company’s reputation has a value far beyond quantitative dollar damages. That is why, especially, merchants that trade on trust– such as insurance companies, banks, lenders and other payment services – are often looking beyond the arguable validation of safety that comes with Payment Card Industry Data Security Standards compliance. Instead, they are more concerned about finding a virtually fool-proof way to prevent a data compromise whether or not it is beyond the PCI guidelines.
As long as cardholder data remains in the merchants system in any form, encrypted or not, there is some chance of accidental or malicious data compromise, especially when the data, or the decryption codes to the data, are “in motion” traveling between servers, databases and parties.
On the other hand, tokenization, like EPX’s patent-pending BuyerWall™ suite of card data replacement code technologies, offers merchants as close to absolute reputation protection as is possible today. With BuyerWall, at-risk card numbers never reside in a merchant’s IT systems in the first place; there is nothing of value to be lost or stolen. At-risk cardholder data is substituted with BuyerWall ‘BRIC” transaction reference codes. BRIC codes (sometimes referred to as “tokens”). BRICs are safer than encryptions because they i) are not derived from credit card numbers and ii) the original data is not kept in the merchant’s environment. The sensitive card data is vaulted safely in EPX’s ultra-secure environment – subject to the most rigorous PCI external auditing and other requirements.
As it happens, elimination of card data through tokenization also greatly simplifies PCI compliance and remediation by taking most of a merchant’s card data topography effectively ‘out of scope.’ But, for the many merchants focused on brand risk more than arbitrary rules or security costs, it is the near certainty of data security that can come the absence of card data that gives C-level executives and directors one less surprise to worry about at night.
Tags: BuyerWall, credit card processing, credit card processor, data breach, Data Breach Notification Act, Electronic Payment Exchange, end-to-end encryption, EPX, PCI compliance, tokenization
This entry was posted on Tuesday, December 22nd, 2009 at 4:19 pm and is filed under EPX Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.