Massachusetts is in the process of debating a new law that is really a reaction to several major credit card / data security breaches in that state. TJX being the most notable in the past few months, and the failure of local credit unions within the state to receive compensation for the BJ Wholesalers data breach are at the center of the discussion. The thought process is as follows:
1. The PCI DSS Standard (which is very good, and the fines are levied with greater clarity and consistency then say…. state / regulatory assigned fines) fines in a top down fashion. Whereby the entities in the processing effort pass along the damages. (This is a VERY simplified explanation of a very mature process – please visit your credit card companies operating agreement for understanding who is liable in these situations)
2. The argument by the legislators is that the fines should be levied on where the breach occurred, and not on the banks, credit card companies, or 3rd party processors. Now if they are the organization breached then they are liable for all the resulting damages and fines.
This does pose an interesting question – would the threat of fines on organizations throughout the entire process be so bad? Is it not true that banks have increased their security through encryption and other technologies as a direct result of fines and fear of fines? While I am a fan of the free market economy and allowing the market to dictate what should be done – especially when it comes to security, how bad is it to place the onus on everyone, and not on a single party?
There is a great article on the Wall Street Journal on this law under debate. The article is free today!!