Second Suit Filed Against MichaelsPOS Skimming Raises Questions About Breach Notification
In May, after Michaels announced to customers that POS terminals at stores in at least 20 U.S. states had been affected by a POS swapping scheme, Chicago resident Brandi Ramundo filed a federal suit against the crafts retailer, claiming it should have done more to protect its customers' cards from breach and compromise.
Ramundo's five-count suit seeks a jury trial, compensatory damages, as well as consequential and statutory damages. The suit also includes an order for Michaels to pay for card-fraud monitoring services for consumers hit by the scam, as well as compensation and punitive damages for costs associated with the suit. [See Michaels Breach: Who's Liable?]
The most recent suit, a five-count class-action suit filed by May Allen of Chicago suburb Libertyville, Ill., takes a different turn, claiming Michaels took too long to notify customers of the breach. In fact, the suite alleges some customers were never directly notified at all by Michaels.
The suit, which also seeks more than $5 million in damages and claims the retailer did not adequately secure and inspect its POS terminals, says Michaels notification measures after the breach violated the Federal Stored Communications Act as well as the Illinois Consumer Fraud and Deceptive Practices Act.
The breach was first linked to a select group of Chicagoans who reported fraudulent transactions had posted to their bank accounts. The common link was quickly traced to Michaels, where debit card details were allegedly skimmed at the point of sale. Investigators believe legitimate POS PIN pads were traded or swapped for PIN pads manipulated to skim card data.
The Secret Service continues to investigate; and on May 12, Michaels issued a statement saying it only suspected purchases conducted between Feb. 8 and May 6, when all U.S. POS terminals were replaced, were exposed to possible compromises. Despite the attack, Michaels also reported a record first quarter for revenue.
Liability and 'Reasonable' NotificationBoth suits raise interesting questions about liability and breach notification.
From a liability standpoint, Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP, says the relatively recent emergence of security hacks has exposed the age of many lingering contracts between merchants and card-issuing banks. Though it may appear the retailer should be liable, that's often not the case, according to the contract.
"There is a lot of entanglement in the credit card industry," Sabett says. "It all goes back to the contract. It's often hard to pin anything down in the contract. But the way most of these contracts are written, the retailers aren't liable."
Breach notification is another gray area, says Linda Foley, co-founder of the non-profit Identity Theft Resource Center. Forty-six states have breach-notification laws on the books, but no law is the same, and enforcement is weak.
Both Illinois, the state where Allen's card was compromised, and Texas, the state where Michaels is based, have breach notification statutes on the books. In Illinois, companies are required to notify consumers of breaches that expose personal information within a "reasonable" period of time. In Texas, the law reads in similarly, saying companies should notify the public as quickly as possible.
Need for National Notification RequirementsAccording to the Identity Theft Resource Center, 2010's data breaches proved that a national call for mandatory breach notification must be part of regulators plans in 2011.
"Forty-six states current have mandatory reporting, but only three or four have public websites where the public can see the notices that have come into the state's attorney general's office," Foley says. "That is where those 200 breaches [from 2010] are that we found out about that were nowhere in the media; no one would have known about those if those states of New Hampshire, Maryland, Vermont and Wisconsin had not had a public website."
The disjointed reality of breach notification came up last week, during a House subcommittee meeting that called Sony and e-mail marketing provider Epsilon to testify about the measures they took to notify consumers after their well publicized breaches. [See Sony, Epsilon Testify Before Congress.]
During that hearing, representatives from both Sony and Epsilon said they favored a national breach notification law. "Working with various notification laws from different states is confusing," testified Jeanette Fitzgerald, general legal counsel of Epsilon Data Management LLC.
Until a national act passes, cases like Michaels could set legal precedent about what is considered reasonable and sufficient when it comes to notification. "Our goal is to have a government agency post the information, so that the public has the opportunity to see what is going on and find out the information for themselves," Foley says.