 |
The Massachusetts consumer affairs office sent a letter about the notification law to Hannaford CEO Ronald Hodge. (Stephan Savoia/Associated Press/File 2007) |
State warns Hannaford about laws on data leaks
Massachusetts officials yesterday warned the Hannaford Bros. supermarket chain that state law requires companies to promptly notify them of security breaches, following Hannaford's disclosure Monday that a data breach potentially exposed 4.2 million credit and debit cards to fraud.
The law, adopted last year after a massive hack at Framingham retailer
As of yesterday, the consumer affairs office had not received official notifica tion of the security breach. Hannaford didn't publicly acknowledge the security lapse until Monday afternoon - after the Massachusetts Bankers Association issued a press release warning consumers about a major breach at an unnamed retail chain.
The company, based in Maine, has said signs of the breach were uncovered three weeks ago, but said it delayed making the breach public until it had gathered enough information to give help to consumers.
Yet, Hannaford's breach might be exempt from the Massachusetts law because of a technicality. Specifically, the state statute refers to security breaches involving personal information - defined as a resident's name in combination with a Social Security number, financial account number, or driver's license number. But Hannaford said credit and debit card numbers alone were potentially compromised. In fact, Hannaford said it doesn't store names at all.
Hannaford said the breach affected more than 270 stores, including those in Massachusetts, Maine, New Hampshire, New York, and Vermont.
The company is aware of at least 1,800 cases where cards were used fraudulently. The data breach, among the biggest since hackers stole as many as 100 million credit and debit card numbers from TJX in a case disclosed last year, lasted from December until March.
In a letter to Hannaford yesterday, the state's consumer affairs office told Hannaford chief executive Ronald Hodge that the attorney general can sue companies that don't fulfill their obligation to notify state officials swiftly after a data breach.
Kimberly Haberlin, a spokeswoman for the state office, said the agency is working with Attorney General Martha Coakley "to ensure full compliance."
"We want all impacted consumers to have access to the information and protections they are entitled to under the new identity theft prevention law," she said.
Hannaford spokeswoman Carol Eleazer said the company disclosed the breach as soon as it had a full understanding of the situation. "In an abundance of caution and consistent with all applicable state laws, Hannaford announced this illegal data breach to get information to our customers in a timely manner," she said, when asked about the Massachusetts' officials concerns.
Several other states affected by the breach, including Vermont, New York, and Maine, have similar notification requirements. But some allow companies more leeway. Florida law, for instance, gives companies 45 days to notify consumers.
Officials with the New York and Vermont attorneys general did not return calls seeking comment. Linda Conti, an assistant attorney general for Maine, declined to say if the office planned to investigate Hannaford's response.
Meanwhile, US Representative Paul Hodes, a New Hampshire Democrat, urged the company to provide free credit monitoring to customers affected by the security breach.
So far, the supermarket chain has provided few details about how the information was taken.
Todd Wallack can be reached at twallack@globe.com. Ross Kerber can be reached at kerber@globe.com.
© Copyright 2008 Globe Newspaper Company.
