Tuesday, March 18, 2008

Supermarkets Hit by Data Security Breach

Customer Data Exposed - Delhaize-owned Hannaford Bros and Sweetbay grocery store chains announced on Monday that a computer hacker stole its customers' debit and credit card numbers and expiration dates. About 4.2 million cards were affected, and 1,800 cases of fraud have been linked to the breach so far, including use of the card data in Houston, Detroit, San Francisco, France, and Brazil. (Reuters).

Recent Security Breaches Involving Other Merchants - This is the latest of numerous security lapses in the last few years involving exposure of private consumer information, including several lapses by retailers or consumer goods companies. On March 3, 2008, for example, Kraft reported the theft of a company laptop containing 20,000 names and possibly social security numbers of employees. On January 4, 2008, Sears admitted that customer purchase data had been inadvertently exposed to online visitors. A $5 million class action complaint was filed against Sears for alleged privacy violations, as well as breach of contract, breach of fiduciary duty, and a violation of the Illinois Consumer Fraud Act statute. On April 15, 2007, the Attorney General of Texas filed a complaint (.pdf) against CVS pharmacy for alleged improper disposal of customers' personal information.

TJX Breach - In January 2007, the largest known theft of credit card numbers in history was revealed involving stores owned by TJX (which owns TJ Maxx, Marshalls, and other chains). Over 100 million accounts may have been compromised. Reports state that hackers were able to access data over a poorly-encrypted wireless network used to transmit data through the air from hand-held devices. Using that information, thieves were able to hack into TJX's central database. In response to the breach, some states have passed legislation imposing new restrictions on the handling of consumer information and requiring disclosure and notification after a breach. TJX set aside $250-million for related costs, and some estimates suggest that total costs over the next few years could rise to $1 billion. TJX paid $40.9 million in a settlement with Visa, set up a $107 million reserve fund for a settlement with a coalition of banks, and reached a settlement in a class action case brought by customers.

The proposed TJX consumer settlement offered vouchers, reimbursement, credit monitoring, identity theft insurance, and a special one-day sale. The 455,000 customers who made a return without a receipt are eligible for the credit monitoring and insurance, along with reimbursement for certain costs related to the breach. The vast majority of customers will likely get nothing (other than the 15% off one-day sale). Those who had out-of-pocket expenses related to the breach but did not make a return without a receipt are eligible for vouchers of up to $60.

The low value of the settlement to customers is consistent with the lack of success consumers have had in similar data security cases. There are several problems plaintiffs have faced in such lawsuits. First, many individuals whose information is compromised have not been subjected to identity fraud, and their damages are therefore difficult to prove. Second, even if a plaintiff has been the victim of identity fraud, it is difficult to establish that any particular exposure of the confidential information caused the identity fraud. Most of the thieves of electronic data are never caught, making it difficult to trace the flow of information.

Conclusion - Retailers should ensure that they have adequate security in place to prevent breaches and exposure of customer information. Retailers should comply with applicable regulations regarding security and disclsoure, and limit customer data that is collected and retained, as this will help limit potential liability. When data breaches occur, retailers can be subjected to bad publicity and substantial liability, but if the incident is handled properly, bad publicity and damages can be contained. TJX, for example, has seen its stock fully recover to above pre-breach levels, and their one-day sale may offer positive publicity and help restore customer goodwill.


The Law Firm of Kotchen & Low LLP - Civil Litigation, Counseling, and Representation Before Government Agencies

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.