A little more than a year ago, discount retailer The TJX Cos., based in Framingham, Mass., announced that it had been the victim of a massive "unauthorized intrusion" into its computer system, leaving tens of millions of customers open to possible identity theft. The ramifications of this incident are still being felt today.
The scale of the data theft was breathtaking, involving more than 94 million credit and debit cards, more than doubling the old record of 40 million cards set in 2005 in the breach at CardSystems Solutions, according to a white paper by Kevin P. Kalinich, co-national managing director of Aon's Professional Risk Solutions unit.
"The actual number of breaches may be much higher," he writes, adding that many times companies do not disclose when their networks have been hacked. "An alarming 78 percent of IT professionals in the United States claim that their companies have suffered unreported insider-related security breaches."
TJX incurred after-tax charges of $130 million in the nine months ended Oct. 27, 2007, because of the incursion, according to a press release. The company, which declined to comment, has repeatedly apologized for the breach.
In a Securities and Exchange Commission filing, the company reported that it believed its systems were first hacked in July 2005 and didn't learn of the suspicious activity until Dec. 18, 2006. It announced the incident publicly a month later, when the thefts were found to be worse than expected.
The TJX incident was a watershed moment for online retailers and may help usher in a new era in online commerce. It also is leading insurers to pressure online retailers to comply with stringent standards put into place by the Payment Card Industry Security Standards Council, a Wakefield, Mass. industry group with hundreds of retail and vendor members. The council put the standards into place last year, but companies are finding them difficult to meet.
In 2006, Visa set deadlines of Sept. 30, 2007, for the largest merchants and Dec. 31 for the midsize ones to comply with the standards. The deadlines for compliance for all of the card companies have since passed. "If you are not compliant now and you get breached, you are in trouble," says Bob Russo, general manager of the council.
The standards are difficult to meet for many reasons. Large legacy computer systems, which run critical functions, need to be upgraded without causing a business to grind to a halt. "It's much more difficult to take an old system and retrofit it for security," Russo says. "The last thing you want to do is break your business as you secure it."
In a Jan. 22 release, Visa says it "recently" began levying fines of $25,000 against U.S. merchant banks for each large merchant and $5,000 for each midsize one whose practices do not pass muster. A Visa spokesman declined comment. MasterCard also is fining lagging merchants but hasn't disclosed the amounts.
The standards are backed by the main payment brands, including Visa Inc., MasterCard Worldwide, American Express Co. and Discover Financial Services. The situation is attracting the attention of insurers because failing to comply with the rules could open retailers up to potential lawsuits. After the incident at TJX, demand for insurance against data breaches rose at American International Group Inc., according to a company executive. He declined to elaborate further.
Brad Gow, a vice president at ACE Professional Services, says demand for insurance against data breaches has "tripled in the past 18 months. ... I am aware of a couple D&O lawsuits arising out of data breaches."
About 10 percent to 20 percent of ACE's business for this type of coverage comes from retailers, he says. That's why companies are even more interested in PCI compliance. "They are absolutely paying attention to PCI standards," says Mark Greisiger, the head of NetDiligence, a Gladwyne, Pa.-based firm that advises insurers.
"In some cases, they won't insure the company if they are not in full compliance ... A lot of their (TJX's) peers say, if it can happen to them, it can happen to us ... That case really drove home the need for cyberrisk insurance that many of the insurers we support sell."
It's also benefiting companies like eBay Inc.'s PayPal business, which processes credit-card transactions on behalf of both large and small e-commerce companies.
"There is no doubt that becoming PCI-compliant is cost and time intensive," says PayPal's Chief Information Officer Michael Barrett in an e-mail. "Since PayPal stores all of our customers' financial information on our own secure servers, merchants don't have to worry about the requirements of storing sensitive data."
To be sure, insurers will still underwrite policies for companies that don't meet the standards as of yet, says Nick Economidis, AIG Executive Liability's vice president and project manager for technology, media and network security.
"It's important," he says from his office in Philadelphia, though he adds, "It's not absolute."
AIG didn't change its underwriting standards in the wake of TJX because it had already ratcheted them up following the 2005 breach. The big insurer was one of the first companies to sell coverage against data breaches.
One change, though, is the growth of so-called material exclusions. For instance, insurers will only underwrite policies against intrusions on networks that comply with the standards, and ignore parts of a network that don't comply.
Kalinich says he was surprised by the low level of compliance, which he estimates at "hovering around 50 percent. ... They knew this was coming for a couple of years. You would think they would have been gearing up for it."
The picture isn't totally negative. Companies with good security practices are seeing their rates get lowered because "underwriters have better understanding where the big exposures are," according to Kalinich.
Underwriters of data-security and privacy policies are interested in a broad range of issues including a company's financial stability, employee training and awareness, sales and contract procedures, dispute procedures and, of course, security safeguards.
"The bottom line: Privacy and data-security insurance underwriters want to know that the applicant takes data security seriously, that the parties responsible for data and privacy are adequately trained and funded, and that loss-prevention practices--including baseline information security controls--are built into the company's everyday policies and procedures," Kalinich writes in his paper.
For its part, Visa has found that increasing numbers of merchants are complying with the rules. More than three-quarters of the largest U.S. merchants and nearly two-thirds of the midsize ones have now "validated their compliance" with the standards, according to that January Visa press release. These represent about two-thirds of Visa's transaction volume.
MasterCard also is trying to bolster PCI compliance through merchant education and "when necessary levying fines for noncompliance," says Chris Monteiro, a company spokesman, in an e-mail. "Above all, MasterCard takes a collaborative approach and attempts to engage all stakeholders in driving compliance." Neither Visa nor MasterCard has disclosed the names of any of the companies that have been fined.
Figuring out which companies are PCI compliant isn't easy because security is a topic that most online retailers would prefer not to discuss. Companies need to report data breaches because of state identity-theft laws. There is no provision requiring disclosure of PCI fines because they are based on a private contract. Trial lawyers, though, may exploit a lack of compliance in legal action against a company hit by a data breach, experts say.
"Walmart.com is currently PCI compliant, and we conduct annual audits to ensure compliance," says Ravi Jariwala, a company spokesman, in an e-mail. Other retailers including Borders Group Inc., Amazon.Com Inc., Target Corp. and Toys "R" Us Inc. declined to comment.
In the months following the TJX breach, the issue of data security moved from the computer room to the boardroom, according to Kalinich. "Now, the board of directors is demanding that they buy cyberinsurance," he says.
But PCI compliance is especially difficult for traditional brick-and-motor retailers because of the large amounts of data that need to be transferred from point-of-sale systems to other networks such as accounting.
"There is just a lot more physical movement of data," says Ken Guerrini of GSI Commerce. In fact, most data breaches, including TJX's, haven't come from online retail sites.
Moreover, compliance is also technically difficult. Upgrading legacy computer systems can cost big money.
"There are more online guys that are compliant than brick-and-mortar guys," says Branden Williams, director of VeriSign's PCI practice.
"The electronic guys are used to being attacked. Security-wise, they tend to have better programs," he says. "They tend to be more organized from a security prospective." This places added pressure on companies such as GSI Commerce, which operates Web sites for such big-name retailers as PoloRalph Lauren Corp., Toys "R" Us and Aeropostale Inc. Since the TJX breach, customers are becoming increasingly conscious of security.
"What they are demanding is that a minimum is that we are fully PCI compliant," says Guerrini, GSI's vice president of business operations. "They will ask a lot, almost second guessing the PCI compliance we are demonstrating. ... We have to play our role in not being the enabler."
GSI, which meets the top-tier of PCI standards, hasn't seen any noticeable bump in business because of PCI concerns.
But as Forbes magazine recently noted, identity theft is growing. The magazine said the Federal Trade Commission reported that complaints about identity theft rose five percent in 2007. The average victim was hit with $691 in costs, up from $554 the previous year. And overall, thieves in identity-theft cases stole approximately $45 billion in 2007, according to the magazine. The changing nature of identity theft also poses a challenge to retailers. Lone-wolf hackers are no longer as big of a problem.
"Instead, we're dealing with organized crime rings--people that go to work every day with the sole intent of stealing from customers," says PayPal's Barrett.
One way to combat identity theft is to make it harder to buy things on the Web by requiring consumers to provide more proof of their identity. Though consumers understand the need for security, they will cancel a transaction if they spend too much time jumping through security hoops. Figuring when that threshold is crossed isn't easy.
"Security is definitely something that consumers take very seriously, but it can't become so lengthy or complex that it is a barrier to e-commerce," says Barrett. His view is backed up by VeriSign Inc., which is providing security tags to PayPal customers worried about identity theft in a test market program.
"There is no one-size-fits-all solution," says Jeff Burstein of VeriSign. "Consumer choice is going to make a difference in how people take security in their own hands."
The security tags experiment, which began last year, is going better than the companies expected, indicating the growing consumer worry about identity theft. Moreover, anecdotal evidence suggests that consumers with security tags with numerical codes that change every 30 seconds purchase more goods than they would have done otherwise, Burnstein says, adding that the companies want to expand the program.
"We are in the process of talking to lots of major e-commerce companies," he says.
JONATHAN BERR has written for national media outlets for more than 15 years.
May 1, 2008
Copyright 2008© LRP Publications