National Consumers League

Shoppers deserve trust and security from our biggest retailers

By John Breyault, Vice President of Public Policy, Telecommunications and Fraud Imagine that you’re the CEO of Target today. As one of the 25 most admired companies in the world, consumers’ trust in your brand is paramount to your success. Over the past week you’ve learned that your company is the victim of one of the largest retail data breaches in U.S. history. Cyber thieves compromised 40 million consumers’ credit and debit cards. To add insult to injury, the breach happened during the height of the holiday shopping season – the most important month in your company’s calendar.

With every media story about the incident, each outraged consumer Facebook comment and critical tweet, that trust is eroded. It’s clear that Target is facing a public relations nightmare. How they react to this will determine how much faith consumers will continue to place in the brand. Unfortunately, the advice consumers are getting from the company so far is depressingly familiar: monitor your credit and debit card statements, keep an eye on your credit report and report irregularities promptly. This is the advice consumers hear after virtually every data breach. Are the increasing number of data breaches just something that consumers need to get used to?

In a recent article about the Target breach Mark Rasch, a former U.S. prosecutor of cybercrime said, "Most of these attacks are just a cost of doing business," As advocates for consumers, we categorically reject the notion that the status quo is an acceptable outcome. We must not accept a marketplace where consumers are asked to make ever more data available to more entities but are stuck with the consequences when those entities fail to protect our data. We think that the government and private sector can and should do more to protect the vast amounts of sensitive data that they are collecting from consumers. This is not a new issue.

For decades, data security experts have discussed ideas about how to improve the situation. At its core, consumer and business data is the focus of a never-ending arms race between those that want to protect consumer data and those that want to steal it for fraudulent uses. Just as no bank can ever be 100% secure from a robbery, no data can ever be 100% secure from a breach. However, consumers should be able to rely on a certain basic level of data security. Unfortunately, that is exactly what we lack today. Shockingly, there is no one law in the U.S. that mandates the steps businesses should take to protect their customers’ data. Instead, consumers are reliant on precedents set by Federal Trade Commission enforcement actions.

Since 2000, the FTC – under it’s “unfair and deceptive acts or practices” authority -- has brought nearly fifty data security cases against companies whose data security practices (or lack thereof) have put consumers at risk. However, that authority could be taken away if the FTC loses in two closely watched court cases. Should the FTC lose, consumers will be left without one of the most important watchdogs in this fight. Consumers should not be left to fend for themselves against the legions of sophisticated and organized data thieves. The Target breach, and the daily smaller breaches that go unreported should serve as a wake-up call for legislators and regulators that data security reform is urgently needed.