Site Menu

Breach financial impact and PCI

By Jim Hietala
Published 01/9/2009

An interesting study on the financial impact to financial institutions of the TJX and Hannaford breaches is here. It was conducted by the Maine Bureau of Financial Institutions, and looks only at the costs borne by Maine financial institutions (Maine chartered bans and credit unions). Some summary findings: The TJX breach affected 52 institutions, comprising 64,825 accounts, and $485k in recovery cost (they considered costs in four areas, investigation, communication, reissuance, and net fraud.) Hannaford totals were 71 financial institutions affected, 243,599 accounts affected, and $1.5M in recovery cost.

In an article on the study , Maine Herald reporter Edward Murphy suggests that lawmakers in Maine might be prompted to legislate forcing retailers to share some of these costs.

Interesting study and article.

My take on this is that we will see more legislation from the states trying to shift the cost from the financial institutions, back to the retailers in the event of security breaches that impact financial institutions. In terms of fairness, seems right to me that the total cost of lousy security from a credit card accepting retailer (including the costs to individuals and financial institutions) should go back to the retailer.

Minnesota is the first state I am aware of to already pass such a law, which I blogged about previously.

As a practical matter, having many states pass individual laws in this area will only deepen the compliance quagmire. It will be like the proliferation of individual (and different) breach notification laws all over again.

I think an interesting question in this area is whether compliance with PCI DSS constitutes due care and due diligence. In other words, whether a state law that shifts the cost burden exists or not, if I'm a financial institution that has a large unexpected cost associated with a retailer security breach, I would like to be able to sue the retailer to recover costs. If I remember right, one of these retailers claimed to be PCI DSS compliant at the time their breach occured. As a best practices standard developed by the industry, and with attestations of compliance, does that constitute due care and due diligence? I guess we'll need a lawsuit to find out.

Jim

Jim Hietala

Jim Hietala, CISSP, GSEC, is Research Director and a principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. He is also the Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities.

Jim has provided research and consulting services to organizations such as SANS, The Open Group, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

An industry veteran, he has held leadership roles at ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric Network, and Digital Pathways. He developed and launched the industry’s first remote access VPN service (Concentric RemoteLink) and encrypting ISDN router (at Network Express), and launched a compliance and risk management software start-up in the IT-GRC market.

He holds a B.S. in Marketing from Southern Illinois University.

Blog: www.compliancefocus.com

Twitter: http://twitter.com/jim_hietala

LinkedIn: http://www.linkedin.com/in/jimhietala

Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com