The corporate data breach liability associated with protecting consumer payment card information continues to evolve and expand in scope. The latest trend is the increasing involvement of federal government in the enforcement of data breach prevention. Two agencies in particular, the Federal Trade Commission (FTC) and Security and Exchange Commission (SEC) have inserted themselves into the regulatory landscape. Their involvement is increasing because the common approach of self-regulation within the industry has not slowed the rate of data breaches. In the end, individual consumers are continuing to become victims of credit card theft. Protecting consumer interests is the key motivator behind the actions the federal government has taken in the data breach liability shift.
Data Breach Liability – Then and Now
To better understand the catalyst for greater government involvement, let’s take a closer look at how industry self-regulation is structured. Over the past 10 years, financial institutions representing the payment card ecosystem have developed and enforced their own set of regulations around merchant requirements to keep consumer information safe. The Payment Card Industry Data Security Standard (PCI DSS) started as a standard focused on the largest merchants. PCI DSS provides a detailed set of rules based on 12 major requirements with dozens of sub-requirements. These requirements involve technology, people and processes, and the primary objective is to reduce the risk of a data breach. Every two years or so, the PCI DSS evolves to adjust to changes in the threat landscape. The standard itself has become more complex and prescriptive. The largest companies that process more than 1 million credit card transactions per year are evaluated by Qualified Security Assessors (QSAs), which are auditing firms approved by the PCI Security Standards Council. However, only 1% of merchants are large enough to require an audit; the remaining merchants are required to self-assess their adherence to the PCI DSS standard.
Based on the number of successful data breaches occurring among smaller merchants, it has become clear that the self-assessment process has not been successful in terms of deterring cyber crime. New techniques have emerged that enable cyber criminals to steal payment card data during a single transaction, and then duplicate the process over multiple POS systems and locations.
The FTC is increasingly holding franchisors accountable for the security of customer information at franchised locations. Although franchise owners operate independent businesses, they do so in accordance with prescribed technology and process from the franchise brand. So although the franchise owner was originally the first entity to bear financial responsibility for a data breach, the FTC is now shifting the data breach liability to the franchisor.
Similarly, the SEC has inserted itself in data breach enforcement. In 2015, the SEC fined R.T. Jones Capital Equities Management Inc., an investment adviser, $75,000 because they failed to establish the proper cyber security protocols ahead of a 2013 data breach. Approximately 100,000 personal information records were stolen. The SEC deemed R.T. Jones as culpable because they failed to install a firewall or encrypt the sensitive information stored on its server.
The key takeaway is that companies of all sizes must embrace PCI compliance and invest the necessary time and resources to become fully compliant. The repercussions will become more severe as the government becomes more involved.
For more information on federal regulations surrounding data breach liability as well as risk reduction tips, check out Law360’s article.