Retailers Should Tell Customers About Security Breaches When They Happen
After a huge identity theft ring involving the thefts of 40 million credit card numbers was busted last week, most retailers were under an obligation to tell customers whether their data was stolen. According to the Wall Street Journal, however, some retailers kept their mouths shut instead:
Most states mandate that companies tell their customers when their credit-card data is stolen from the stores. But when federal prosecutors disclosed last week that computer hackers swiped more than 40 million credit-card numbers from nine retailers in the biggest such heist ever, it was the first time that many shoppers had heard about it.
That’s because only four of the chains clearly alerted their customers to breaches. Two others — Boston Market Corp. and Forever 21 Inc. — say they never told customers because they never confirmed data were stolen from them. The other retailers — OfficeMax Inc., Barnes and Noble Inc., and Sports Authority Inc. — wouldn’t say whether they made consumer disclosures. Computer searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures.
The other companies allegedly targeted by the ring charged last week were: TJX Cos., BJ’s Wholesale Club Inc., shoe retailer DSW Inc., and restaurant chain Dave and Buster’s Inc. They each disclosed to customers they were breached shortly after the intrusions were discovered.
Three of the companies claim they never found a security breach–though the Feds did. The reason they didn’t disclose, according the article’s quotation of Affinion Security Center executive Dan Clements, is that “Telling the public that they’ve been breached is embarrassing for them, it makes them suffer a loss of goodwill and in the case of public companies, the stock price goes down.”
This concealing behavior can’t possibly help them in the long run. Now the companies who stayed quiet find themselves in a position of their word vs. that of the Feds. This seems like a far worse outcome than admitting a breach, informing customers, and watching stock price fall temporarily.
As a customer of all three of the retailers who didn’t admit to breaches, I feel alienated.