Ben Wright left a comment on one of my postings about the Hannaford breach. He pointed to one of his blog entries titled FTC treats TJX Unfairly. Good stuff. Ben obviously understands the legal issues facing retailers much more than I do and rather than just respond to the comment, I thought it fair to put this new post up pointing to his article.
Generally, I focus on technology, so I may be guilty of haphazardly posting things about businesses like:
[Hannaford] only exposed 10% of the number of accounts that TJX did, but it's still 4.2 million accounts.Ben got me thinking - I was implying that Hannaford is responsible for exposing (active verb) consumer information. I've already mentioned that others have done more than imply that. Even if we grant that Mark's solution would've prevented this particular case, I do see Ben's point. There is a threshold of security above which we may not want to hold retailers responsible. If a retailer is PCI-compliant and still loses consumer information, is it fair to impose massive financial implications? Does that discourage retailers from taking risks and growing their business?
Getting back to technology, Ben points to an article suggesting that the breach occurred by attackers listening in to fiber optic cable. If Hannaford was PCI-Compliant, wouldn't that transmission be encrypted? Bruce Schneier told us how to eavesdrop on fiber optic cable back in September. It sounds relatively simple. Did these attackers also break one of our commonly used encryption algorithms?
I do think it's reasonable to expect companies like TJX to disable or replace their WEP security when it becomes widely known that it's insecure. And for companies that collect credit card info to provide over-the-wire encryption. But, I don't think it's an issue for government to manage. I like that the payment card industry is trying to handle the issue amongst themselves. And if they do it right, supply and demand will result in a secure infrastructure.