Retailers Should Tell Customers About Security Breaches When They Happen

After a huge identity theft ring involving the thefts of 40 million credit card numbers was busted last week, most retailers were under an obligation to tell customers whether their data was stolen. According to the Wall Street Journal, however, some retailers kept their mouths shut instead:

Most states mandate that companies tell their customers when their credit-card data is stolen from the stores. But when federal prosecutors disclosed last week that computer hackers swiped more than 40 million credit-card numbers from nine retailers in the biggest such heist ever, it was the first time that many shoppers had heard about it.

That’s because only four of the chains clearly alerted their customers to breaches. Two others — Boston Market Corp. and Forever 21 Inc. — say they never told customers because they never confirmed data were stolen from them. The other retailers — OfficeMax Inc., Barnes and Noble Inc., and Sports Authority Inc. — wouldn’t say whether they made consumer disclosures. Computer searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures.

The other companies allegedly targeted by the ring charged last week were: TJX Cos., BJ’s Wholesale Club Inc., shoe retailer DSW Inc., and restaurant chain Dave and Buster’s Inc. They each disclosed to customers they were breached shortly after the intrusions were discovered.

Three of the companies claim they never found a security breach–though the Feds did. The reason they didn’t disclose, according the article’s quotation of Affinion Security Center executive Dan Clements, is that “Telling the public that they’ve been breached is embarrassing for them, it makes them suffer a loss of goodwill and in the case of public companies, the stock price goes down.”

This concealing behavior can’t possibly help them in the long run. Now the companies who stayed quiet find themselves in a position of their word vs. that of the Feds. This seems like a far worse outcome than admitting a breach, informing customers, and watching stock price fall temporarily.

As a customer of all three of the retailers who didn’t admit to breaches, I feel alienated.

More Popular Stories:






Subscribe

Comments

  1. Dan's Gravatar Comment by Dan on August 11th, 2008 at 9:48 am

    Are you supposed to do anything if you shopped at any of those retailers within the last year?

  2. Robert Barr's Gravatar Comment by Robert Barr on August 11th, 2008 at 11:26 am

    “Telling the public that they’ve been breached is embarrassing for them, it makes them suffer a loss of goodwill and in the case of public companies, the stock price goes down.”

    How the $%#&@ is there not legislation requiring a company to reach out to their customers within a specified time frame letting them know their personal data may have been stolen?

    Am I over-reacting? I don’t know. But let’s move the risk away from something non-threatening such as identity theft and stroll down the road of stalking, or rape, or murder.

    Could you imagine the culpability a company would have if there was a murder caused by a someone who received stolen information from a company that didn’t inform it’s customers about the breach? Seems far fetched right? Well, I am not a lawyer, but I wouldn’t want this case.

  3. Drea's Gravatar Comment by Drea on August 11th, 2008 at 11:53 am

    Dan, I think that you can get together with a bunch of other consumers and build a lawsuit–after all, the Feds have proof of the theft. If the retailers didn’t tell you, you could also send them a letter or call and complain, which might get you a gift card, who knows…

  4. Robert Barr's Gravatar Comment by Robert Barr on August 11th, 2008 at 12:48 pm

    Drea,

    You guys really have to activate editing :) I go back and read my posts and I look and sound like a lunatic! Not to mention my rants don’t lend themselves to spell checking and proper word use!

    Robert

  5. Marsram's Gravatar Comment by Marsram on September 5th, 2008 at 6:16 pm

    First of all, these companies have a legasl obligation to inform all investors (stocks and otherwise) and customers (product/services buying inverstors) if security has been breached. What if officials didn’t tell residents about Hurricane Katrina? Those officials would not have a JOB. What if a company collapses and identities have been stolen and know one knows it, until some terrorists have boughten our spaten? JUst watch some of the b-cheap disaster movies of the 70′s, and see what might happen when you don’t tell anyone, while they party, that you cut corners on the 80 story building you were contracted for in the heart of downtown Los Angeles. Oh, oh. Can anyone sing, “We may never love like this again”?

    Identity theft is a huge problem, being the dark side of our internet. If a company is given leeway to not inform its public, then they will be held accountable, as all contractual accountability has been breached by what is termed as, ‘breach of communications’, which leads to abuses of all kinds. Meanwhile, all investors (customers (even potential) included) have the right to know, merely, though not confined, for the sake of their own personal protection. Any company that supercedes this is doing so out of line of corporate (DBA’s, etc.) code of ethics.

    While we are suffering because of too many corporation scandals already, why should we tolerate this damaging reality, when we have paid for what has been rightfully ours along, being our indentity.

  6. Marsram's Gravatar Comment by Marsram on September 5th, 2008 at 6:27 pm

    Misspelled, legal in above response. There once was a time, if you bought the darned thing, the darned thing is yours! Now… sign this product agreement, you’re only leasing this, and that. Don’t do this with this product and don’t do that, meanwhile, oh, oh, your ID has been stolen… but… not sorry we didn’t tell you, because then you would have lost confidence in US and our stocks would have fallen, and we would have to give up some of the cavier. There was a time when you’d call a company, and they had better answer in three rings, or watch out! Now… they put you on with a computer and musak for forty minutes, while your whole household is probably being monitored by your telephone on hold. Lol. Peace to all.

  7. Marsram's Gravatar Comment by Marsram on September 5th, 2008 at 6:28 pm

    Oh, and God Bless America!

  8. Marsram's Gravatar Comment by Marsram on September 5th, 2008 at 6:40 pm

    Robert, you’re not the only one who has misspelled words. I just reread my document, and realized my clerical errors. Oh, well, you all got the message, I hope? Lots of Love.

Leave a Reply