The huge security breach at Target should be a wake-up call to regulators and retailers to add safe guards to better protect financial transactions. With more consumers relying on debit and charge cards for everyday purchases, better security is essential for the banking system to function, households to budget and consumer confidence to remain high in the economic system.
Target announced Dec. 19 that approximately 40 million credit and debit card accounts had been breached, with data taken from the cards' magnetic strips. The company later announced that separate data on 70 million people — including their mailing and email addresses, phone numbers and other information — may also have been stolen in the opening weeks of last year's holiday shopping season. The number of people affected could reach the equivalent of one in three Americans. And the theft could cost retailers, banks and consumers billions of dollars in uncovered losses and other costs.
The New York Times reported last week that Target's networks were "astonishingly open." Experts said the hackers entered through a digital gateway that lacked virtual walls and other security features, enabling the thieves to move quickly through company servers, stealing credit, debit and personal financial information including PINs. The computer code was malicious enough to cover its tracks and keep Target in the dark for weeks until the Secret Service alerted the company.
The size of the theft and the sensitivity of the data stolen reflects the role that charge and debit cards have taken on in the marketplace. Their convenience and the financial incentives that card issuers give consumers to use them also mean these cards will remain popular as a substitute for cash. That's why regulators and retailers need to move faster to strengthen security, and do more to separate billing from other personal data that retailers use for marketing purposes.
Target's chief executive said this month that the nation's No. 3 retailer would make "significant changes" in the wake of the theft. One place to start is by having the nation move more quickly toward adopting "smart-chip" technology, encrypted chips that are more secure than magnetic stripes on the backs of existing cards. That shift is not expected to take place until 2015. It should begin in earnest now.
The nation also needs a uniform standard for reporting data breaches. While 46 states have a notification requirement, the rules are all over the map, and the states give businesses wide latitude in reporting a breach to consumers. Florida, like many states, requires notification "without unreasonable delay." But that timetable can stretch for nearly seven weeks after a breach was found to have occurred. And Florida, like other states, also allows a notification waiver upon a request by law enforcement. These loopholes do not provide adequate security in an era when millions of people can have their sensitive, personal information stolen overnight.