It’s acronyms in April. Today, PCI compliance, which are the industry standards set by the Payment Card industry. There may be an incestuous affair between lawyers and the merchants of software and hardware. A problem gets publicized, the lawyers promulgate laws and regulations, and companies have to buy software and consultants’ services to meet those regulatory requirments; then, other lawyers sue for non-compliance with these minimum standards. That’s trickle-around economics, and why some can afford those really nice homes near our shores.
When I’m done droning on about IP, I switch the topic to IT, just to stroke the pace. With each new report that users’ credit cards and/or personally identifiable data has been taken, some time has to be devoted to learning how the ‘job’ was done, and what the lawyers said about it in later suits.
On Mar. 27th, the Hannaford grocery chain had two PCI compliance events: it was re-certified PCI compliant, and it reported being aware of a data breach where 4.2 million card users data was stolen. Later, it determined that the breach continued until Mar. 10th, and class action lawsuits began being filed on the 19th. The data breach had resulted from malware installed on all the store servers, and when a card was sent in for authorization the malware intercepted the card number and expiry, then it batch sent the numbers over the internet to a foreign ISP. Unlike the TJMaxx breach, where in part the intrusion came in via unsecure wireless access, Hannaford did not have wireless network access.
Some have speculated that installation of the malware may have been done by an “insider” or a vendor’s technician. One of the suits alleged around “1,800 cases of reported credit or debit card fraud related to the security breach.” In another, a plaintiff in Maine was told by the Burbank, Calif. police that a “replica of her card was swiped at the register when” fraudulent purchases were made. (see Complaint in Courchene v. Hannaford, linked to main case 2:08CV89 D. Maine). Also, it is claimed that the PCI standards establish a legal standard of due care, such that if a company is non-compliant, then it is legally negligent. That creates somewhat of a moving target, since the PCI standards are broad-based goals, rather than specific dos-and-don’ts. It too is of concern because of the overall dynamics of the situation: PCI compliance is a necessity, but a compliant company is not insulated from liability; and, the flexible PCI standards may create or provide proof of liability for an unpreventable data breach. Also, the coincidence of Hannaford being re-certified and that same day reporting the breach seem to suggest that the PCI audit lead to discovery of the breach, and it provoked the requirement that Hannaford report it. Last, in all the contracts related to PCI compliance, it is difficult to transfer or even mitigate data loss liability – consultants, auditors, software vendors, etc., accept no liability in those arrangements.
If you’ve read this far, then you may want to consider my ‘conspiracy theory.’ The data breach at Hannaford began around Dec.1, 2007. At that time, the USDOJ issued investigatory demands to all the large chocolate companies over alleged price fixing. On Mar. 25, 2008, Hannaford sued all the chocolate companies alleging monopolization and price fixing. The PCI audit, the malware and data breach at Hannaford, and the price-fixing suit by Hannaford may not be related. But, it raises the (albeit unlikely) possibility that the intrusion into Hannaford’s servers was industrial espionage done to access information related to the later-filed price-fixing suit (even if taking the credit card data was just moonlighting by the hackers, or done to make the attack appear to be something other than espionage). Sure, it’s far-fetched, or too Oceans Eleven, but threatened world domination of all things chocolate requires some Austin Powers’ thinking.