Brockton-based HarborOne Credit Union is planning to bill The TJX Cos. for losses caused by the breach that allowed TJX customers’ credit information to be accessed.
Brockton-based HarborOne Credit Union – like most, if not all, of the financial institutions in Massachusetts – is hopping mad. That’s because it’s being forced to pay the cost of replacing debit cards after retailer The TJX Cos. acknowledged customers’ credit information had been hacked into by an “unauthorized” intruder to its computer system last year.
President and Chief Executive Officer James Blake decided recently that his credit union isn’t going to take it anymore – and he’s taking somewhat unusual steps to make that happen.
“I have written to TJX [specifically, Chairman and Acting Chief Executive Officer Bernard Cammarata] telling them that we intend to bill them for our costs, which are $100,000 to replace the cards, exclusive of fraud,” he told Banker & Tradesman last week.
He also penned a letter to Visa International Chief Executive Officer Kenneth Sommer on Jan. 31, demanding the credit card issuer release a list of the top 200 merchants who don’t yet comply with its requirements that they protect consumer data.
“We wrote to Visa because we issue Visa, but it’s the same story with MasterCard,” Blake said.
HarborOne has a contract with Tampa-based PSCU, a processing company for credit unions that allows it access to the Visa network. Retailers must be sponsored by a card company’s so-called “merchant” or “acquiring” bank (in Visa’s case, Cincinnati-based Fifth Third Bank), which processes card transactions, in order to be able to accept Visa or MasterCard transactions.
Blake and Massachusetts Credit Union League Communications Director Rob Kimmett said only about one-third of the major U.S. retailers that Visa and MasterCard deal with comply with data security standards card companies set. That’s up from 15 percent last May, but is still way too low, according to Blake, who is also MCUL’s board chairman.
“So what that says to you is the vast majority of merchants out there are putting consumers at risk,” he said. “And from my perspective, you’d have to say that Visa and MasterCard are putting their own brand at risk.”
The card companies, Blake said, “have a responsibility to ensure the retailers they’re doing business with are meeting their own network requirements.”
He added that in the past six months, Visa, at least, is starting to crack down on retailer compliance with its data rules. For example, he said, it’s started to issue heftier fines for noncompliance.
To date, Blake hasn’t received responses from TJX or Visa. The beleaguered Framingham-based retailer, with its credit-processing bank partner (merchant bank) Fifth Third Bank, is the subject of consumer lawsuits and at least one class-action bank lawsuit as a result of the breach, which occurred between May and December of 2006 but which the company didn’t acknowledge until January, hours after the Wall Street Journal reported it.
TJX is the parent company for Marshalls, TJMaxx, AJWright, HomeGoods, and other regional and national retailers.
Blake suggested that it didn’t acknowledge the data breach until January because managers’ bonuses are tied to store profits. Retailers make two-thirds of their net income during the holiday season, he said.
‘A Proprietary Matter’
TJX spokeswoman Sherry Lang did not return Banker & Tradesman’s call for comment, but has publicly denied that the company delayed notification of the data breach because of the impending holiday shopping season.
A Visa source, who spoke on the condition of anonymity, indicated that the San Francisco-based company won’t release a list of retailers that aren’t in compliance with card security rules.
“Visa regards merchants’ compliance status as a proprietary matter between them and their acquirer,” the source said.
But Blake has alternatives.
He and MCUL have started to discuss the possibility of a new public service campaign. The idea would be to hand out stickers saying “Data Secure” or “D.S.,” which retailers could attach to the Visa or MasterCard logo on their storefronts. Otherwise, Blake said, customers can’t be assured their credit card-related information is safe.
“We think it’s important that consumers have some sense of whether or not the store they’re going to do a transaction with complies with those standards,” Kimmett said. “It’s an important part of a purchase decision Â… it’s something Visa and MasterCard ought to do to let the consumer know that their rules are being followed.”
HarborOne and MCUL are also working with U.S. Rep. Barney Frank, D-Mass., who’s redrafting legislation that would require merchants to bear the cost if a data compromise they caused forced cards to be reissued, Blake said.
“It’s taken awhile for Congress to really get their arms around this, and become educated about it,” he said, adding that the law proposed by Frank – the Newton Democrat who chairs the powerful House Financial Services Committee – would be the first federal law to address that topic.
The Massachusetts Bankers Association, meanwhile, is tracking federal legislative initiatives including House bill 958, the Data Accountability and Trust Act, which would require companies to implement data security programs and notify affected individuals following a breach, allow the Federal Trade Commission authority to craft security rules and give state attorneys general “broad latitude” to enforce those new provisions; and House bill 948, the Social Security Number Protection Act – filed by U.S. Rep. Edward Markey, D-Mass. – which directs the FTC to issue regulations restricting the sale and purchase of Social Security numbers.
“Our understanding is that Congressman Frank, when his committee looks at this issue, will give it serious attention,” said MBA Senior Vice President for Government Affairs and Trust Services David E. Floreen.
On the state level, MBA strongly supports a new bill filed by Rep. Michael Costello, D-Amesbury. Temporarily named Legislation Relative to Enhancing the Confidentiality and Protection of Certain Consumer Information, the re-filed bill establishes the definition of a data breach, provides for prompt notification to affected consumers and businesses, and imposes “significant liability/financial responsibility on the entities whose action or inaction resulted in the breach” by requiring them to pay the costs that financial institutions assume to cover associated losses.
Massachusetts Office of Consumer Affairs and Business Regulation Director Daniel C. Crane noted that there will be several data-security and identity theft-related bills before the state Legislature in the coming session.
“The two general principles in all the bills are prompt notification and freezing of credit reports,” he said. “How that all will be sorted out into law, we shall see.” His office is “not specifically backing any bills at this time,” he added.
MBA’s New England Debit Card Task Force is organizing a data-security conference to be held in a to-be-announced location this spring, spokesman Bruce Spitzer said.
In addition, Massachusetts Attorney General Martha Coakley is leading a multi-state civil investigation into the data breach, focusing particularly on what security measures TJX took to protect consumer information.
