There seems to be an announcement almost weekly that a retailer has been the victim of a cyberattack in which consumer information has been stolen. Has this become the next wave of 21st century white-collar crime as the world of electronic credit and payments opens up companies to more and more thefts of financial information?
The latest disclosure of a possible security breach comes from Michaels Stores, which said it was looking into possible fraudulent activity involving its stores but had not yet confirmed any misuse of customer financial information. As hackers’ sophistication increases, companies have a harder time even detecting whether computer systems have been attacked and the extent of any security breach.
Unlike many types of white-collar crime that affect only individual companies and markets, a broad swath of society is at risk when hackers obtain personal financial information. As The New York Times reported, Target was particularly vulnerable to having its system invaded by hackers, who may have exposed credit and debit card information on up to 40 million customers.
Companies that have been attacked are still trying to figure out how quickly to disclose a security breach.
Neiman Marcus, for example, sent a letter to Senator Richard Blumenthal of Connecticut, who had questioned the retailer’s failure to promptly notify customers. It gave a timeline of how it was hacked by the same computer program that attacked Target
and said it had received information shortly before Christmas about a possible problem with credit cards used at its stores. A report on New Year’s Day confirmed that its computer system had been breached,
but the company did not make any public announcement until Jan. 10.
On the other hand, Michaels Stores disclosed the potential breach even before it confirmed that financial information had been obtained. In a letter to customers, the company said it had “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data security attack.”
There is pressure on a company whose information has been stolen to keep quiet and delay disclosures to customers and shareholders. From a law enforcement perspective, keeping a security breach confidential may help criminal investigators track down who received the information and how they might be selling it. A public announcement of a cyberattack puts the perpetrators on notice to tread more carefully in how they might use customer financial information.
The challenge is not finding a crime to prosecute. It is locating the perpetrators and bringing them to the United States to face charges. The malware used to infiltrate computer systems at Target and Neiman Marcus reportedly originated in Russia, and the stolen information has been passed around Eastern Europe. That means that most of those involved in the hacking are beyond the reach of American authorities.
There are plenty of criminal laws on the books that can be used to prosecute cybercrime. Federal statutes make it a crime to access a computer to fraudulently obtain information (18 U.S.C. § 1030(a)(4), and to use “a means of identification of another person,” including by selling or trading stolen personal financial information (18 U.S.C. § 1028A).
Unlike other types of white-collar crimes, in which defendants often claim they did not believe their conduct constituted a violation, cybercriminals know exactly what they are doing and why. (While technologically sophisticated, they are still just thieves.) So these cases present a different challenge for prosecutors, who often need secrecy to track down those behind the cyberattacks.
But the need for a company victimized by hacking to disclose information can be just as great, especially when personal financial information is involved. Although credit card holders are not subject to significant losses if they promptly report fraudulent transactions, that is cold comfort when trying to figure out whether fraudulent charges have been made.
If a credit card account is misused, the cardholder has to spend time straightening out unauthorized transactions and dealing with the issuance of new cards. Even more dangerous is the potential for identity theft, which could result in substantial disruptions to an individual’s financial life that can take months to fully rectify.
For publicly traded companies like Target and Neiman Marcus, there is an additional obligation to disclose material information to shareholders in a timely manner. For any retailer, a cyberattack may drive customers away and affect income through increased expenses for stronger computer security, providing identity theft protection to affected customers and refunding of any fraudulent charges.
The potential effect on the bottom line could be significant, and something every shareholder is likely to want to learn about sooner rather than later. Yet neither Target nor Neiman Marcus has submitted a filing with the Securities and Exchange Commission giving an estimate of the potential costs of the hacking they experienced, leaving shareholders in the dark about the effect of these episodes.
Companies that have so far avoided the hacking afflicting retailers must be aware of the potential that their computer systems are vulnerable to a cyberattack. At the recent World Economic Forum in Davos, Switzerland, the chief executive of Western Union pointed out that dealing with hackers had become a “street fight.”
Hackers are getting more sophisticated, which means the costs to fight them will grow as companies address the type of porous security that got Target into so much trouble. Shareholders are likely to hear more about how companies are trying to protect themselves and the rising cost of doing so.