Retailer's Database Breached, Customers Not Notified
The breach, first detected by Citigroup, a financial services company, showed hackers found a way into HomeVisions.com, a separate website of Direct Marketing Services, Inc., and then stole records from a database holding account information for all the company's retail holdings.
Direct Marketing Services, Inc., which has owned the Montgomery Ward brand since 2004, says it promptly told its payment processor and Visa and MasterCard, and it also notified the U.S. Secret Service. The company, however, did not inform the customers whose credit card information was stolen in the hack.
In June, the breach was made public after the company CardCops, an investigative firm that tracks credit card thefts for the financial services industry, found more than 200,000 payment cards being offered for sale on an Internet chat room often visited by card thieves.
Direct Marketing Services says it now plans to contact consumers -- more than six months after the breach occurred. Visa's guidelines don't cover the notification of consumers, which is required by 44 states' individual data breach notification laws. Non-compliance with these laws, depending upon the individual state, range from fines levied against the company or even allowing customer lawsuits to be filed against the breached company.
While Visa guidelines don't tell retailers to notify the public, David Taylor, President of the PCI Security Alliance, says the "common sense" of doing business should have kicked in for the senior management at Direct Marketing Services. "A lot of retailers don't know the state laws about data breach notification, but unless a retailer is a mom and pop retailer and doing business online, they're likely doing business with customers in more than one state," Taylor says.
Taylor adds that some states' data breach notification laws require a company to have an incident response plan -- something the majority of retailers don't have. "If this company had an incident response plan, it would have addressed the need to notify its affected customers," he adds.
Retailers, unlike financial institutions, aren't heavily regulated by federal or state agencies in the area of risk management, he notes. "There's nobody in their face on this question of data breach notification," Taylor says. " It only gains attention if a breach happens. There is no one from the State Attorney General's office asking where their risk management plan or incident response plan is before a breach happens."