Anita Ramasastry

Heartbreak over Heartland: Why Prosecution for Data Breaches Isn't Enough

By ANITA RAMASASTRY
Friday, September 4, 2009

Debit card users often feel safe because their cards are PIN-protected. But recent events show that, like credit cards, debit cards can be compromised, when the databases of large retail merchants or card processors are hacked.

In late August, the U.S. Department of Justice issued indictments in what is, to date, the largest data breach in the United States – with over 130 million credit and debit card numbers compromised. Albert Gonzalez, 28, of Miami, Florida, and two unnamed co-conspirators allegedly used an intricate hacking techniques to break past computer firewalls and gain access to this confidential information, as well as to intercept packets of data that were being transmitted in real time.

When a credit or debit card is used, the card numbers are stored so that the information can be transmitted back to your bank for withdrawal of funds or billing to your statement. Companies are required by various regulations and industry rules to have security measures that will safeguard sensitive customer data. However, hackers can and will try to outsmart the best security measures.

In this column, I will discuss the recent security breach and some of its implications and costs. While the arrest of the alleged hacker is important, it remains to be seen whether this action will be an effective deterrent to others. Moreover, after-the-fact arrests are not enough: There needs to be a renewed focus on security standards within the card industry.

The Recent Indictment

In late August, the Acting U.S. Attorney for New Jersey announced an indictment against Gonzales and his two unidentified co-conspirators. The three are charged with a scheme involving five corporate data breaches, including the single largest reported data breach in U.S. history. The scheme is believed to constitute the largest hacking and identity theft case Justice has ever prosecuted.

According to the indictment, 130 million credit and debit card numbers, together with account information, were stolen from Heartland Payment Systems, Inc., based in Princeton, N.J.; 7-Eleven, Inc.; Hannaford Brothers Co., which operates grocery stores in Maine and Massachusetts; and two other, unidentified corporations.

Between October 2006 and May 2008, Gonzalez is alleged to have acted with his two coconspirators to select large corporations, and identify security vulnerabilities, both by in-person observation and by online investigation. For example, according to the indictment, Gonzalez and an individual identified only as "P.T." would visit the retail locations of their potential victim companies, seeking to identify the type of checkout machines and card readers they used.

The indictment alleges that, after this reconnaissance was completed, the three conspirators would upload information to servers – which served as hacking platforms – that were located in New Jersey and several foreign countries. The three conspirators allegedly used the servers first to store information critical to their hacking schemes, and then to launch their attacks. Through these attacks, the indictment alleges, they installed "sniffers" that conducted real-time interception of credit and debit card data being processed by the corporate victims' servers.

As noted above, the results were staggering: Reportedly, more than 130 million card numbers were stolen.

Is Our Data Secure?

We have a strong legal structure that kicks in after an infraction; both federal regulations and card industry rules provide consumers with great protections if someone steals their card or card numbers. But it is still a headache for the consumer to report false charges and get them erased, make sure money fraudulently transferred from bank accounts is replaced, and procure replacement cards. Moreover, such breaches are costly to companies and banks, and the costs get passed on to cardholders in the form of higher fees, interest rates and the like.

That raises a pressing question: Can more be done to prevent this kind of hacking activity?

There are some industry standards meant to protect credit and debit card data. The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard created by the Payment Card Industry Security Standards Council. These standards are meant to help businesses that receive or process card payments prevent card fraud through increased data security. The PCI DSS standards apply to all entities that hold, process, or transmit cardholder information for cards that employ the logo of the participating card brands.

PCI DSS is really a checklist of measures for card processors and merchants. Entities must be audited annually for compliance with PCI DSS. Businesses with a high volume of transactions must have their compliance assessed by an independent party referred to as a Qualified Security Assessor (QSA), while businesses handling smaller volumes may self-certify their compliance by completing a questionnaire.

For businesses that are processing Visa or MasterCard transactions, compliance is enforced by the organization's acquiring bank. Non-compliant companies that maintain a relationship with one or more of the card brands, either directly or through an acquirer, risk being prohibited from processing card payments and being fined. Unfortunately, compliance is not a guarantee that security is bulletproof. Companies have suffered security breaches even while they were registered as PCI DSS compliant. Indeed, two of the victim companies mentioned above -- Heartland Payment Processing Systems and Hannaford Brothers -- were certified as PCI DSS compliant.

What happened? Some have pointed to the problem of "snapshot" certification – which determines that the company is compliant at a point in time, and then assumes it will remain compliant – as the culprit. For instance, Hannaford Bros received its PCI DSS compliance certification one day after it had been made aware of a two-month long breach of its network. Perhaps when the breach occurred, it had not been compliant; or perhaps compliance standards were too low.

As for Heartland, until May 2009, Visa placed the processor on probation, during which time it was subject to a number of risk conditions -- including more stringent security assessments, monitoring and reporting. Visa also issued fines to several Heartland-sponsoring banks. However, the company, while on probation, could still process credit card transactions. As of May, Heartland is once again listed as PCI DSS compliant. It is still too early to determine whether the probationary period served as a significant caution to Heartland and to other processors.

The Security-Breach Lawsuits and the Other Costs of Breaches

Such breaches are, of course, very costly. For instance, Gonzalez was previously charged with masterminding the theft of more than 40 million credit card numbers from nine retailers, including discounter BJ's Wholesale Club and TJX, the parent of TJMaxx and Marshall's stores. TJX reports expenditures of $132 million relating to the breach, including the costs of investigating and repelling the data breach and defending the lawsuits initiated by banks, consumers and government agencies. The suits accuse TJX of maintaining lax security that allowed hackers to strike. In June, TJX reached a $10 million settlement with 41 states and has spent another $65 million settling lawsuits by impacted banks.

In the Heartland breach, some of the affected banks had to issues new cards (which can cost $5 to $30 per card); some offered credit monitoring; and some were forced to absorb additional losses after cards were fraudulently used. This has caused them to turn around and sue Heartland.

Heartland currently is being sued by banks, credit unions, and other institutions that issued debit and/or credit cards that were compromised. These financial institutions seek to recover out-of-pocket expenses for reissuing debit and/or credit cards to their customers; and they also seek damages for costs incurred due to the misuse of the compromised information, as thieves used the stolen card numbers to make unauthorized charges that have to be written off.

Finally, a consumer class action lawsuit alleged that Heartland did not know of the breach until it was notified of credit-card fraud by Visa and MasterCard, and claimed that the company had not implemented all the required PCI DSS controls. The suit also faults the company for announcing the breach on the day of President Barack Obama's inauguration, and claims that Heartland has not offered any compensation to affected consumers.

What Can Consumers and Merchants Do, Moving Forward?

Heartland has apologized for the breach, but apologies don't keep card numbers safe. And while prosecutions may create some deterrence effect, they aren't a full solution.

Ultimately, then, the devil is going to be in the details of PCI DSS Compliance. Many commentators are critical of the current "checklist" format. They say the checklist offers a minimum set of standards and asks no more than this minimum, when companies should be thinking of data security as an ongoing process that can be improved.

Moreover, critics points out that PCI DSS was developed by the credit card industry to provide baseline security requirements for businesses that handle sensitive card information, and that federal law exists that is meant to supplement this self-regulatory industry solution. Many of the companies also fall under other statutory compliance mandates such as Sarbanes-Oxley (SOX), or the Gramm-Leach-Bliley Act (GLBA).

And critics note that it is important for companies to respect the spirit, as well as the letter, of these compliance requirements. Passing a PCI DSS compliance audit is a positive step, but employees and network administrators will change and computer systems will also evolve. Just because a business is compliant with PCI DSS at the time of an audit does not mean that, at another point in time, it will still remain compliant. Companies need to constantly monitor their performance and not think about the PCI DSS audit as a once-a-year tune-up.

Finally, perhaps the PCI DSS standards need more teeth. Granted, the reputational harm that has been suffered by Heartland and other hacked companies should, in theory, powerfully incentivize these and other businesses to invest more in security. Yet the breaches still keep coming – and that makes one wonder whether the incentives are strong enough.


Anita Ramasastry, a FindLaw columnist, is the D. Wayne and Anne Gittinger Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.

Ads by FindLaw