We hear daily about another payment card breach at a retail store, restaurant chain or hotel line. The response to a payment card breach differs from company to company. I get a lot of questions about payment card breaches and why some companies provide credit monitoring and others don’t, why some companies provide individual notification and others post it on their website and issue a press release, and why the burden seems to fall on consumers to watch their credit card bills for fraud and deal with it when the breach wasn’t their fault.
Here is my attempt to explain both sides of the story.
For the Company
From the company’s perspective, often the company has been advised of a data breach by a third party and not from its internal IT department. The FBI, a security researcher, or a credit card processor may give the company the heads up that a dump of credit card numbers on the dark web has one thing in common: a charge to their company.
When this happens, the company usually doesn’t have the name or address of the consumer—only the credit card number and security code that was lifted from its point of sale system because it does not house the data—the credit card processor and/or bank that issued the card does. So it isn’t that easy for the company to find out who the individual was behind the credit card charge as the data isn’t in its possession. They are only given information about how many credit card transactions from their company were compromised.
Under 48 state laws, the company is usually required to provide notice to the consumers of the compromise if it includes the credit or debit card number and the security code. If the company cannot obtain the credit card owner’s name and address, they usually provide notice on their website and issue a press release.
In some instances, they are able to find out the names and addresses of the credit card users, so the company will send an individual letter to those consumers directly notifying them about the breach.
Sometimes companies will offer credit monitoring for payment card breaches. This is a service that is offered to mitigate the consumer’s potential damages. However, credit monitoring is not really helpful unless the information compromised can be used to open a new account (like a Social Security number). Usually in payment card breaches, Social Security numbers are not included. Basically, one can’t use a credit card number and security code to open a new account, so credit monitoring is of limited benefit for a payment card breach.
Fraud resolution services may be offered, which are designed to assist the consumer in the event s/he becomes a victim of fraud (such as someone using the credit card after it is stolen to buy merchandise). Using the credit or debit card to buy something is a very real threat and fraud resolution is helpful to assist the consumer in the event the card is used fraudulently.
Finally, the individuals involved in the data breach may be issued new credit and/or debit cards, which inactivates the compromised card so the card can’t be used for any purchases.
Following a payment card breach, the only true way to determine whether the individual is the victim of fraud is when illegitimate charges show up on the credit card account. Luckily, credit card companies limit the amount owed by the consumer to $50, although in most instances, even this amount is waived. Consumers who are the victim of fraud will work with their credit card company’s fraud department to resolve the situation, but usually are not responsible for any of the charges.
For the Consumer
I will write this in the first person as this happened to me in the last month.
As a lawyer, I frequent Brooks Brothers for spiffy suits and businesswear. As an informed data privacy and security lawyer, I am up to date on all of the latest payment card data breaches, so naturally, I found out about Brooks Brothers’ payment card breach.
I pretty much use one credit card, and had purchased items from Brooks Brothers during the time of the data breach, so I was pretty sure that my credit card had been compromised. I always watch my credit card statement closely, but this was even more reason to do so. Brooks Brothers announced the data breach on its website (which I have never visited) and issued a press release (which is how I found out about it as it was part of a daily listserv that I subscribe to in my field). I did not receive a letter from Brooks Brothers about the breach, and I have not confirmed whether they sent out individual notices or not. I do not believe I would have even known about it if I was not in this field.
I travel quite a bit, and stay in hotel chains, including Intercontinental Hotel Group (IHG) properties. Several days after I found out about the Brooks Brothers breach, I received a letter from IHG advising that my credit card had been compromised. The letter was dated a month earlier and told me to watch my credit card statement and to contact the credit card company if there is any fraudulent activity.
Since this was the second notice I received in one month, I called my credit card company, told them about the situation, asked them to stop any activity on the compromised card and issue me a new one. They did, and I received the new card two days later, and have no worry or angst that the credit card number is being used as it is no longer active. I will still look at my credit card statement closely, but my mind is at ease that I reduced the risk of fraud.
I am in this business and knew that I was at risk of fraud not just because of one data breach, but two on the same card. I might never have known that there were two breaches because I never would have gone to either of the company’s websites. I am not in the habit of going on websites of companies that I do business with to see if they have had a data breach. Who does that? No one.
The purpose of notification to consumers is so that they are aware of the compromise and can protect themselves from fraud. If companies don’t have sufficient contact information to notify consumers individually, telling consumers that they are unable to provide individual notification because of that fact is important for them to know and shows them the difficulties the company is going through in trying to notify them. Most consumers don’t know that the companies may not have their contact information. They don’t know how credit or debit cards are processed.
Although it has its limitations, communicating with consumers on the website is the most logical way to disseminate information. But be realistic, and realize that not all of the consumers who may be affected will ever find out about the incident if notification is only through the website because consumers don’t surf every website of companies with which they do business.
Consumers: when you receive a breach notification letter, follow the instructions in it and use the information in it to protect yourself. Companies have spent a lot of time and money to get that letter to you, and the information provided in the letter is to help you.
Companies and consumers alike are adversely affected by data breaches. For companies, it is a crisis to the operations and brand of the company and can lead to a loss of customer trust. For consumers, being at risk of or a victim of fraud is disruptive and frightening. Clear communication and cooperation is needed on both sides to get through the difficulties inherent in every data breach.