Three days of hearings on Capitol Hill about the jaw-dropping data breaches at Target and Neiman Marcus brought to light one new apology and at least two familiar lessons. The lessons are worth reiterating.
First, there’s fresh evidence that retailers have a hard time admitting when they’ve been hacked. Once they do, they find it hard to tell the whole story.
Target said nothing about the breach until an independent security researcher disclosed it on his blog. In its initial statement, the company said the attack involved 40 million card accounts. Three weeks later, Target revealed that other records affecting 70 million customers also had been stolen.
Finally, after repeating “how sorry we are that this happened,” a Target executive divulged that the breach had lasted three days longer than initially admitted. Neiman Marcus has been similarly evasive.
This is the kind of slow-motion, piecemeal response that infuriates consumers. A uniform federal standard mandating how retailers report data breaches, which some in Congress are advocating, would be an improvement over the varying state-by-state disclosure laws now in effect.
The second lesson is to speed adoption of smart-chip cards, which have encrypted chips embedded in them and often require a password to use.
Merchants and issuers are expected to finally adopt the technology in the United States by October 2015.
Target, commendably, now plans to accelerate its transition and have the gear in place by early next year.
As other retailers watch Target contend with investigations, lawsuits and the ire of consumers and investors alike, doing the same might start looking cheaper and cheaper.