Bill targets retailers for costs to fix data thefts

Citing the high-tech theft of credit card numbers from Stop & Shop Supermarket Cos., Massachusetts bankers yesterday urged state legislators to force retailers and others who fail to keep card data protected to pay all costs for fixing security breaches.

"What happened at Stop & Shop is another example of retailers not doing enough to protect consumers," said the Massachusetts Bankers Association's spokesman, Bruce E. Spitzer. "If companies know they'll be responsible for every expense caused by a security breach, maybe they'll finally invest in better security."

But the president of the Retailers Association of Massachusetts, Jon B. Hurst, said the banker-backed bill, offered by state Representative Michael A. Costello, a Newburyport Democrat, would add needless new expenses -- pumping up bank profits, not protecting consumers.

"It's a typical banker pyramiding scheme to get more dollars into their pockets," Hurst said of the bill, which was filed at the end of last year.

Stop & Shop isn't saying how many consumers' cards were compromised after thieves tampered with card readers at supermarket checkout lanes in Seekonk and in five Rhode Island communities. The only confirmed reports of stolen card numbers, the company said, involved shoppers at Coventry and Cranston, R.I., supermarkets in early February.

The scheme apparently involved a data-theft tactic called skimming. In one version, thieves -- typically dishonest restaurant or store employees -- run customers' cards through an illegal reader to steal the numbers. In another, as at Stop & Shop, thieves manipulate a point-of-sale device and plant a bugging device to capture card numbers and personal identification codes.

Julie Fergerson, cofounder of Merchant Risk Council, a Seattle electronic commerce security group, estimated there are thousands of cases nationally each year of card-skimming, but fewer than 100 involving manipulation of devices, because the latter method is complex, yields only a few card numbers per hour, and is usually soon detected, "so all the work the fraudster has done gets shut down."

Tom Baker, assistant special agent in charge at the US Secret Service New England Electronic Crimes Task Force, which is investigating the Stop & Shop case, would not comment on how it was done but said merchants with card readers need to be vigilant.

"I wouldn't be surprised if we come out fairly soon with some public awareness campaigns for businesses" about how to recognize and prevent tampering, Baker said.

Stop & Shop has said it has no evidence store employees were involved in the theft. The chain has since secured card readers at all its stores in the Northeast.

The grocer has also set up a hot line, 877-366-2668, to answer questions and is promising to help customers whose cards were compromised by card readers that were tampered with.

Stop & Shop said it was first notified last week by a bank that credit-card numbers were stolen from its stores. The incident comes a month after TJX Cos., the Framingham company that runs T.J. Maxx, Marshalls, and other stores, reported a breach that involved the theft of customer credit- and debit-card data from potentially millions of accounts.

Costello's legislation would require that when any enterprise, including retailers and banks, allows card numbers to be revealed, it would have to notify affected consumers within five days. It would also be liable for covering all expenses caused by the breach, including the cost for banks to issue replacement cards.

Hurst said retailers "firmly oppose" the bill because existing card-issuer policies already let banks recoup fraud expenses from companies that mishandle credit-card data. Banks charge retailers 2 to 4 percent of sales, ostensibly in part to cover fraud costs, Hurst said. Small banks that don't want to pay for expensive round-the-clock card fraud monitoring like Bank of America Corp. and other giants perform want to shift costs to retailers, Hurst said.

But Costello said existing laws need to be clarified in several ways, which his bill would do. Spitzer, of the bankers association, said fewer than one-third of major retailers comply with national card-security standards, adding, "If this legislation passes, all retailers, all companies, and all banks will know they'll be responsible for absorbing every cost associated with a data breach."

Peter J. Howe can be reached at howe@globe.com.