Liability Issues

By Ericka Chickowski  |  Posted 2008-03-28 Print this article Print

As details trickle out about New England’s Hannaford Bros. grocery chain’s data exposure of 4.2 million customer records, questions are swirling about the implications affecting a merchant that has already been certified compliant with PCI security standards. Will security assessors be found liable?


Liability Issues
Analysts such as Litan, Rothman and Diana Kelley of Security Curve are watching closely as the Hannaford drama unfolds, as it is the first big test of the legal liability for data breaches affecting PCI compliant merchants. Both Litan and Kelley agree that compliance is hardly a shield against becoming the recipient of a lawsuit, as has been quickly demonstrated by a pair of class-action suits against the chain. The question is whether the courts will give Hannaford credit for due diligence simply due to its state of compliance at the time of the breach.

“The bottom line is that PCI compliance does not give you any indemnification or protection; there's nothing in the process that says 'now you're safe.’ But that's never been something that stores expected,” Kelley said. “I think where its going to be interesting is to see how the lawsuits go, because  a smart lawyer can now say, ‘Look, my client was compliant with the industry standard best practice.’ So that might impact their liability a little."

*Standards for PCI compliance have shifted recently. Here's how to keep up with PCI . 

Therein lies the problem with the mindless pursuit of compliance that some with the “check box compliance” crowd still chases, says Fred Pinkett, vice president of product management at Core Security Technologies, a penetration testing firm and a PCI Qualified Security Assessor (QSA).

“At the end of the day, the fact that you were compliant but you did it in an irresponsible way doesn't stop you from being sued,” Pinkett said. “As far as I know, there is no legal precedent for saying I’ve got a stamp from these third parties so that means my responsibility is fulfilled. I don’t think anyone has tested what reasonable security is or what reasonable best practices are for protecting credit card data in a consumer responsibility and a legal sense."

Litan agrees that Hannaford’s state of compliance won’t protect them from being slapped with lawsuits, but it should keep them from being held accountable for the cost of fraud incurred due to the breach.

“There's no safe harbor for lawsuits,” Litan said, “but in terms of the card companies’ rules, what I've been told is that if you're in compliance at the time of the breach, then you're not liable for the fraud costs."

These costs are typically incurred by a number of banks across the country who must reissue cards to customers affected by the breach. These banks then bring their complaint to the various card brands, such as Visa and MasterCard, which reimburse them with the expectation that they’ll recoup the losses from the breached merchant’s bank. Called the ‘acquiring bank,’ this bank has the right to recoup its own losses by taking that money from the breached merchant’s account if the merchant isn’t PCI compliant. But under PCI rules, the acquiring bank is left holding the bag if the merchant was certified by QSA as PCI compliant.

*What if TJX had been compliant with PCI standards? Read Baseline's in-depth look at the TJX data breach: Your Data: Love It or Lose It.

“The buck does stop with the acquiring bank,” Litan said. “I think the biggest change (this could spark) is that acquiring banks are going to take this more seriously instead of just delegating it to assessors and just kind of accepting what ever the assessors say.”


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.