More Litigation Against Retailers Expected Why Banks Are Likely to Seek Damages After Card Breaches

In light of recent retail breaches, courts are likely to start holding retailers more accountable than they have in the past for financial losses that result from fraud, says Al Pascual, a financial fraud expert and senior analyst at the consultancy Javelin Strategy & Research.

Because of those breaches, class action lawsuits have been filed on behalf of consumers. And banks are expected to soon follow by taking legal action as well, Pascual says during an interview with Information Security Media Group [transcript below].

"They feel like merchants, in this case, are not doing what they should be doing," he says.

Financial institutions end up suffering from these breaches because of the fraud losses linked to card compromises, Pascual explains.

As a result, organizations such as the National Association of Federal Credit Unions are lobbying for national data breach legislation to hold retailers more accountable, he says. Financial institutions have an incentive to look at the case and assign liability, "because it's their cards that are being misused," Pascual says.

Case Precedents

Recent litigation against MAPCO Express, a convenience store chain, and Schnucks Markets Inc., a grocery store chain, following retail breaches highlight a growing trend, he says.

"Cases such as these allow consumers and issuers to assign more liability," Pascual says. "They know where the breach occurred. For consumers, this hits home. ... They assume certain data is protected; and when it's not, they realize they will be a fraud victim."

Retail breaches are getting attorneys' attention because of the risks they pose for identity theft and other ongoing credit-related hassles, he says.

During this interview, Pascual discusses:

  • How the losses associated with retail breaches cost consumers and banking institutions far more than they realize;
  • Why retailers and card issuers should encourage consumers to sign up for potential fraud alerts that could help reduce fraud losses;
  • Why legislation and public opinion about liability after a retail breach is likely to soon lean in banking institutions' favor.

Pascual leads Javelin's security, risk and fraud practice. He began his career with HSBC during the height of the mortgage boom. While working in HSBC's borrower verification department, Pascual performed enhanced due diligence investigations of high-risk loans. He later joined Goldman Sachs' fixed income, currency and commodities division, serving on its mortgage fraud investigations team. Later he joined Fidelity National Information Services, now FIS Global, to oversee data driven investigations of organized payment fraud groups in the U.S. Pascual is a member of the Association of Certified Fraud Examiners and the International Association of Financial Crimes Investigators.

Litigation Against MAPCO

TRACY KITTEN: Recent class action suits filed against MAPCO for a malware attack it suffered in the spring caught your attention. Why?

AL PASCUAL: What we're seeing is that retailers are a prime target this year, but breaches have been a major factor in fraud for years. Just as an example, in 2010, if you would have received a data breach notification as a consumer there was an approximately 11.8 percent chance that you would also be a victim of fraud. In 2012, that nearly doubled, meaning that one in four data breach victims was also a fraud victim. What we're trying to say here is that breaches beget fraud, and the question is, really, "Who is paying for it?" When we start talking about these class action suits, I think we're trying to even things out or level the playing field, because it's not just the organizations that are breached that incur cost; there are actual fraud costs that affect far more than just the breached organization. That's why I find this whole thing so interesting.

Retail Malware Attacks

KITTEN: Other suits have been filed in recent months for similar breaches; one that comes to mind is the Schnucks grocery chain. Are these retail malware attacks getting more attention from lawyers?

PASCUAL: I think cases such as this allow consumers and issuers to more clearly assign responsibility. They can look at a single organization and say, "This is where the breach occurred." If you're an issuer, identifying that common point-of-purchase is always a challenge. When you're investigating card fraud, with these cases, they know these transactions occurred or these cards were used at this one retailer; so it makes their job a lot easier.

For consumers, it hits home because these are typically businesses where they shop constantly. And if you're going to shop at a supermarket, you're going to shop at this same one pretty regularly. I think consumers take this a bit personally. There's a question of trust when it comes to providing our personal information or our payment information to an organization, and we expect that these organizations protect that information. When they don't, we want to be properly compensated. What we're seeing here at Javelin is that when a consumer's information is compromised, that consumer is going to be a fraud victim, "I trusted you and you didn't protect me, so now how are you going to make me whole?" I think that's really why these retail attacks are drawing so much attention.

Claims Driving Lawsuits

KITTEN: Beyond the claims that these retailers were not PCI compliant at the time they were attacked and card data was ultimately exposed, what core claims or issues are driving many of these lawsuits?

PASCUAL: I'd say that the driver here is really connected to that same PCI compliance argument, but maybe the perspective is a little bit different. But it's really a question of acting in good faith, where consumers expect retailers to protect their information, whether that means being PCI compliant or even keeping the data more secure than what PCI compliance requires. I think it's really the good-faith question, and when retailers are not protecting that information as they should, when they're not staying abreast of issues, whether that be from alerts from card networks or otherwise, consumers feel like the retailers just didn't do enough. I think that's really what's driving these class action lawsuits. The whole PCI compliance issue [is] causing some headaches, as far as issuers are concerned; but I think for consumers, it really is the good-faith angle that's pushing this down the road.

Lack of Merit?

KITTEN: Retailers such as Schnucks have claimed that many of these suits have no merit. Do you agree?

PASCUAL: These breaches don't occur in a vacuum. These pieces of information, whether that be the card data or other pieces of information, are being stolen for a reason. Something's actually happening with that information. As I just mentioned, one in four breach victims later becomes a fraud victim. The bad guys are stealing a lot of this to commit fraud, and there are real costs associated with that. But again, those are costs that are borne by institutions and individuals other than the breached organization. An organization somewhere is breached; then that information is misused to attack financial accounts, to commit things like new account fraud or to attack existing accounts for account takeovers. And these are pretty expensive types of fraud.

If we're talking about payment card data, that information is then misused to make purchases. You don't steal millions of card numbers to do nothing with them. And beyond the organizations or businesses that are being attacked or being defrauded with these stolen pieces of information, that information actually belongs to somebody. There's a consumer on the other side of that piece of information, and they're also a victim. They not only will feel violated by identity fraud, but there are actual costs to them as well.

Even if they're covered by zero-liability policies, or Regulation E, they still have to incur out-of-pocket costs when they're taking time off work to file a police report, or the time they spend dealing with disputing charges or fighting back and forth to determine who actually accessed their account and wired thousands of dollars out of it. These breaches aren't happening without a reason, and I really think that these claims have some honest merit behind them.

Calculating Cost of a Breach

KITTEN: Why is calculating the overall cost of a breach so difficult?

PASCUAL: When you talk about cost, there's a part of it that's actually pretty easy to calculate. That's the remediation cost. That's the cost to an organization to improve their security, to pay fines ... as a result of the breach, and we've seen research out there that covers that. The hard part is calculating the actual fraud that's associated with the breaches. What's the damage done to those external to the breach? That is what has been so difficult, because there's very little incentive to follow the trail, if you will, when investigating these cases, besides the fact that the number of cases can be incredibly overwhelming.

If I needed to establish whether or not fraud was committed as a result of a breach, I would have to follow that from the infiltration of the system, where the data is stored, figure out where that information went to and who got their hands on it, and then determine where they sold it and who they sold it to. From there, I'd have to determine then whether or not they used the information themselves or gave it, let's say, to a runner, and then identify how much was actually lost. You have to do that for every single case - every single piece of information that was stolen. That's incredibly challenging for any organization to do, especially when we start talking about thousands, hundreds of thousands or millions of pieces of information. If you're going to take that [approach], which unfortunately many state laws require that you do in order to be reimbursed for any fraud, you're going to have a really hard time figuring out exactly how much these breaches cost. There are other ways to do it, and that's something that we've tried to look at.

Cost of Retail Breaches

KITTEN: In a study that Javelin issued in early 2013, the research focuses on the cost of retail breaches. What types of costs were including in Javelin's reporting?

PASCUAL: We took a look at what research was available, the cost of remediation that's out there. There's data breach research around the forensics piece, investigating how it occurred and what the motivation was. There wasn't was an in-depth study on the actual fraud cost and consumer cost. We think that's actually the largest component and that it was totally ignored, so that's something we wanted to focus on. We did a number of case studies and we looked at what types of fraud could occur as a result of each breach, and how much fraud in total would incur as a result. We saw projections from the hundreds of millions to billions of dollars in fraud, and that's fraud that affects FIs, retailers and other businesses.

We also saw millions, tens of millions, hundreds of millions of dollars in cost to consumers, and consumers spending millions of hours in total resolving fraud resulting from these breaches. We really wanted to put a human face on these because we think that has been sorely lacking.

Card Issuers

KITTEN: Can we soon expect banks to be filing lawsuits just as consumers have?

PASCUAL: I think that's right around the corner. The NAFCU have been lobbying for national data breach legislation as a result of all the retailer breaches we've been seeing. Financial institutions have an incentive when, say, a retailer breach occurs, to look at the case from beginning to end in order to assign liability, because it's their cards that are being misused. They feel it in the pocket. They're doing all the work and they feel like merchants, at least in this case, are not doing what they're supposed to be doing. FIs and merchants can have a bit of a contentious relationship anyways; there's always the issue of charge-backs and the feeling that they're not working together as they should. I think that issuers are pretty well-motivated to get involved here, and, once we start seeing a little more steam on these civil suits, they will join in on short order.

Industry Response to Lawsuits

KITTEN: How is the industry responding to this rash of class action lawsuits that we've seen emerge over the last six months?

PASCUAL: As far as retailers are concerned, right now it looks like they're hiding behind state laws, which really have a pretty onerous requirement for establishing the connection between the breach and fraud. Again, it goes back to ... proving it from the very beginning of the system being infiltrated to the very end where the information is misused and filling in everything in between, which is a very tough thing to do. They're relying on that now to protect them. There's a lack of precedence, otherwise, when it comes to assigning civil liability, which is likely to change pretty soon. As far as the financial industry is concerned, the industry itself hasn't been the victim of much in the way of breaches over the past several years, but they're suffering a good deal of the cost and, as I mentioned, they're .. close to really getting involved here. I think the point is right around the corner for them.

Threat Mitigation

KITTEN: In the report that Javelin issued about data breaches and the losses associated with them, it notes that a data breach can cause financial losses for banking institutions, retailers and consumers, even when the breach occurred at a third party, such as a payments processor. And we have seen a number of these types of breaches that have adversely affected the industry. What more would you say needs to be done that isn't being done right now?

PASCUAL: There are a few things they have to address. The first thing, going to the same thing that you'll see whenever anyone talks about data breaches, is protecting the data. Failing to encrypt data, failing to react to the presence of malware, or just protecting the information itself is the first step, and that's pretty obvious. But there's much more to it than that when we start viewing it through the lens of data breaches and fraud. By that, I mean things like consumer empowerment. Twelve percent of consumers within the past year have received a data breach notification. Fifty-one percent of fraud victims received a data breach notification within the past 12 months, and what that really tells us is that those notifications themselves are not enough. Consumers aren't heeding that, for one reason or another; maybe it's a question of education or maybe they just don't know what they can do to protect themselves. But that consumer piece needs to be dealt with; they're the first line of defense. Get consumers active; encourage them to use alerts.

Institutions provide the capability for consumers to be alerted when there are irregular transactions or changes to contact information and the like. If consumers are using that, especially after getting a breach notification, it's very likely they can catch the criminal in the act and help prevent the fraud or encourage consumers to use identity protection. I know for the financial industry it has been a bit of a headache, especially with all the CFPB [Consumer Financial Protection Bureau] actions over the past year, but I do think protection does have a place. It does protect against a variety of fraud types and very often, when breaches occur, organizations will offer that protection to them typically free of charge. Encourage the consumer to sign up. There's real value there.

For financial institutions that bear a significant portion of the cost, we think there's an opportunity when it comes to authentication. We saw in 2013 that 80 percent of the institutions my group examined still allow consumers to authenticate themselves with their Social Security number. Where banks now are striving to keep up with FFIEC requirements, providing strong authentication, relying on things like one-time passwords, geo-location, even biometrics, they're still allowing a nine-digit number to be used to access accounts. Bad guys know that; they rely on that to circumvent these other authentication measures. Nearly half of all consumers who have suffered an account takeover had their Social Security number compromised, and that's because the bad guys know that they can use it to access consumer accounts, commit account takeover and wire thousands of dollars out of these accounts. Financial institutions need to stop with Social Security number authentication. It's doing them a disservice and doing the consumer a disservice.

Finally, for merchants, fraud hits bad. It's going to get worse. In 2010, we saw misuse of consumer information to commit online retail fraud overtook misuse of consumer information at the point-of-sale. In 2012, we saw some really strong separation; misuse at point-of-sale started to decline and online retail really started to take off. With EMV, it's projected to become widely adopted by 2017. It'll only get worse if it follows anything like what we saw in the UK, Canada or anywhere in Europe. Merchants and issuers need to improve authentication. Consumers are ready. They find it easy to use. They find it effective. We need to encourage merchants and issuers to get over the hump, implement these solutions and really protect themselves and consumers. It's not just protecting the data. It's really getting everyone involved.




Around the Network