I've posted on this topic in the past, but I can't say it enough: Retailers that lose customer information to crackers should be penalized massively. There is no other way to stem the tide.
Neiman Marcus is the latest in a long line of companies that lost control of credit and debit card data for its customers. Target's massive breach affected as many as 70 million customers; TJ Maxx lost tens of millions of customer credit cards back in 2005; Heartland Payment Systems, a credit card processor, lost 130 million records in 2009. In every case, the retailers express their sorrow and sympathy, and they promise to not let it happen again. But it will happen again.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Inexplicable as it may be, it's almost like a game to these companies. I can't think of another reason why they would play fast and loose with this information in the first place.
It would seem that they really don't care about the security of this data, and the only way their customers can immunize themselves from this apathy is to not shop there. Unfortunately, not enough people would participate in such a boycott, and thus, it is not enough of a deterrent to cause real change to be enacted. In the case of Heartland Payment Systems, there's no one to boycott -- simply using your credit or debit card at a retailer running Heartland's processing system was enough to expose your information to thieves. To get around it, you'd have to pay with cash everywhere.
Instead, we get an apology and a FAQ like the one on Target's site discussing what happened -- and that's it. Customers' cards will be used to purchase all kinds of items all over the world until the cards are shut down; their credit ratings can take a hit; they'll get new cards with new numbers and deal with the hassle and frustration of rearranging automated payments; and so forth. But that's all.
Target will get some negative publicity for a little while, lose some sales, and go back to business as usual. Heck, I bet most people don't even know about the Heartland breach.
This has to change. If retailers store information that in the wrong hands can cause immediate and significant financial harm to their customers, then that corporation should be held liable for all damages that may ensue from a breach of that data. If you make the business decision to store this data, you must also accept that if you screw it up, the damages could run into the hundreds of millions of dollars at the low end.
JP Morgan estimates that the Target breach could incur damages of up to $18 billion. Lawsuits are under way against Target, state and federal investigations are also in progress, but if past is prologue, very little will come of it. Target may lower its sales forecasts, but only temporarily. If the company had to pay $18 billion in damages, well, that might make a statement.