For beauty business news, beauty store owners turn to Beauty Store Business. Beauty business trends, beauty business profiles and more!
Issue link: http://beautystorebusiness.epubxp.com/i/308289
40 June 2014 | beautystorebusiness.com Beauty & The Law THE MAMMOTH SECURITY BREACH AT TARGET stores over the 2013 holiday shopping season focused the nation on the reality of cybercrime and identity theft. Forty million people had credit or debit card numbers stolen in the attack and 70 million more had information—such as home addresses and phone numbers—taken by criminals. Target announced the attack on December 19 and just days later Neiman Marcus reported it had also been the victim of a cyber attack during the holidays. In March, Sally Beauty Holdings was the victim of "an unauthorized attempted intrusion" into its Sally Beauty Supply network. CHIP AND PIN CARDS OFFER SOME PROTECTION FOR RETAILERS AND CONSUMERS Most United States credit and debit cards have a magnetic stripe with unencrypted data that can be copied when the card is swiped. One partial solution to the data-breach problem is so-called "chip and pin" credit and debit cards. Chip cards—which are already standard in Europe—replace the magnetic stripes on the backs of cards with an electronic microprocessor chip that is harder to counterfeit. In addition, in many systems the card user has to enter a PIN number to authorize each purchase. A credit card issuers' trade association pointed out that additional security mea- sures will always be necessary and that chips will not make Internet sales any more secure, presumably because the user has to manually enter a card number no matter how it is encoded on the card. The general counsel of the National Retail Federation (nrf.com) submitted a written statement at a Senate hearing in February that switching to chip cards without requiring a PIN would "essentially be spending billions to combine a 1990s technology (chips) with a 1960s relic (signature) in the face of 21st century threats." How to pay for all the point-of-sale technology needed to process chip and PIN cards is an issue that has to be resolved before the system is fully adopted here in the U.S. Still, MasterCard and Visa have announced that retailers will have to pay for fraudulent charges if they have an option of accepting a chip card but use a magnetic stripe card instead. This change in who pays for card fraud is called the "liability shift." When the liability shift becomes effective in October 2015, companies that did not adopt chip technology will assume the risk of fraud, whether that's the retailer or the issuing bank. CURRENT LAWS ON RESPONDING TO SECURITY BREACHES In view of rising cybercrime, businesses should know where to turn if the security of their customers' data is breached. As of this writing, each state chooses whether and how to regulate the response to consumer data breaches. If a business that operates in several states wants to know the law that governs its actions, it has to check the laws state by state in each location where it does business. Each of 46 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands has its own unique law. Only Alabama, Kentucky, New Mexico and South Dakota have chosen not to pass laws on this subject. In addition, 19 new state bills are under consideration this year. It would be impossible to give a guide to each state's law in this column, but a few examples demonstrate how state laws vary. In South Carolina, any business that has unencrypted computerized data including personal infor- mation concerning a South Carolina resident must tell each affected South Carolina resident when the breach creates a real risk of harm to that person. If the business has to notify 1,000 people, then it also has to notify the national consumer reporting agencies and the South Carolina Consumer Protection Division. In contrast, in Tennessee, a business that has a breach of the same kinds of informa- tion must tell each Tennessee resident whose information was unlawfully accessed, whether or not the victim is at risk. A Tennessee business that has to notify more than 1,000 people must tell the national consumer reporting agencies, but does not have to inform the state of the secu- rity breach. Finally, entities that do business in California must notify each affected individual if there is a security breach and must give a sample of its notification to the state attorney general if more than 500 California residents are affected. As of this year, California has expanded the definition of personal information to include a user name or email address together with either a password or security question and answer that would allow breaking into an online account. As a result of these differences among the states, it is important to evaluate the laws that apply wherever you do business. If there is a data breach, then it is critical to comply with each state law that applies to your business. NEW FEDERAL SECURITY LAWS ARE PENDING IN CONGRESS Referring to the massive Target data breach and the Neiman Marcus breach announced shortly afterward, U.S. Attorney General Eric Holder called for strengthen- ing the laws that protect privacy. "It is time for leaders in Washington, D.C., to provide the tools that we need to do even more by requiring businesses to notify American consumers and law enforcement in the wake of significant data breaches," says Holder. He also called for "a strong national standard" for quickly alert- ing consumers whose information may be compromised. The NRF general counsel echoed the need for a national standard in his statement to the Senate in February that one national notification standard would allow companies to focus on notifying customers instead of paying lawyers to figure out which laws apply and what they call for. Congress is considering several different privacy bills, each of which would replace the patchwork of state laws with one uniform law across the country. It's hard to predict if this gridlocked Congress will pass any new data security law, but the Personal Data Privacy and Security Act of 2014 has won some support. Even if this bill doesn't Protecting Your Customers' Information Security breaches are happening more frequently. Read on to discover how you can protect yourself and your customers. by Jean Warshaw Image courtesy of Barry Burns B e a u t y & T h e L a w 6 1 4 . i n d d 4 0 5 / 2 / 1 4 2 : 4 2 P M 5/2/14 2:42 PM