If this leads to retailers taking stronger measures to secure their customer data, I'm all for it.

If this means higher prices and more fees, then I don't want it.

It's also important to note that no data is 100% secure, there's always risk of a breach somewhere in the system.

@dragonfire81: Yes, there's no such thing as 100%. But we really ought to be encouraging companies to shoot for as close to 100% as possible, even if they can't ever reach that goal.

Settling for 20% safe does no favors to anyone.

I think this is long overdue. A lot of companies have lax security procedures, and lose vast quanities of consumer data, and you usually get an apology letter and *maybe* 1 year of free credit monitoring. That is like if they made a copy if the key to your house, gave it out to 100,000 people, then telling you "don't worry, we will send someone by every so often for the next 12 months to make sure no one is breaking into your house...after that, it is your problem".

I think it is a dangerous road to go down, as there is no way that data is 100% secure. The best computers in the world have been hacked into by the likes of Tom Cruise and Cameron Diaz :)

If all reasonable security measures have been put in place, and they are quick to admit the breach and notify people, then the bad press they get should be punishment enough.

If they post your SS# and Credit Card data on the internet, with a password of "12345", then yeah, draw and quarter.

@winshape: hey thats the combo to my luggage, and cruise was only after the NOC list, so don't worry about the financial stuff ;)

@dragonfire81: Whether or not it actually costs them anything to improve security, you'll still pay more.

Most states now have laws that allow you to "freeze" your credit accounts. No new credit can be added unless the account is unfrozen first. In NC, it is free to freeze/unfreeze your account. Other states might have a fee to unfreeze (I think GA's was $30 at one point).

So far, that's the best weapon we have to combat identity theft. You're not dependent on someone else's security procedures.

The question is whether this will cause companies to be more scared to admit their mistake.

If you are absolutely frightened of a breach at a retailer, then maybe you should consider cash. I'd rather lose $200 in cash then have to worry about credit monitoring. Only use your cards when absolutely necessary for large purchases that you want covered thru your credit card.

I've come to terms with the fact that something MIGHT happen to my information over the internet, at stores and just plain identity theft. If Hannaford didn't have the proper security measures in place, then yes, maybe compensating these poor people who assumed otherwise. Hannaford is a relatively large chain, nice store (at least the one local to me is)- but that doesn't cut it when people are afraid to spend money there because of this data breach. I would figure my local Stewarts gas station to have a breach before Hannafords, so there was a reason they were targeted. Someone KNEW of their weakness.

It can happen anywhere. Always be dilligent.

@CompyPaq: That's an excellent point. I can totally envision companies sweeping it under the rug and letting consumers all sort it out themselves 30-60 days later instead of owning up to the error and potentially facing a class action from all 4.2 million cardholders.

@winshape: "The best computers in the world have been hacked into by the likes of Tom Cruise and Cameron Diaz"

Really? Where did you hear about this?

@tonberry: Still sucks if your name was on the NOC list though. I'll take identity theft over assassination!

As someone affected by the breach, I think it's a bit steep. I still use my debit card, I still use it at Hannafords, and I acknowledge that (aside from being slightly numb) if I truly wanted to be more secure it's my responsibility.

There are many options open to me - cash, check, barter (what?). But it is my lazy-ass decision to go with convenience over security. I shouldn't be surprised that the people over at Hannaford made a similar lazy-ass decision.

@Difdi: As a computer programmer I can say that you can throw as much money at the problem as you like. The first $10k gets you 90% secure, the next 99%, the next 99.9%, the next 99.99%.

These numbers are made up and a simple pattern. Its probably more like 85, 92, 95, 96, 96.1, 96.001, etc.

You could end up making those of us in software engineering rich without returning any true value to the customers, other than high prices. This is similar to the if it saves one life argument. If its a billion $, is it worth it?

If you own a heating oil delivery company and in the course of delivering oil you accidentally drop 100 gallons in my driveway, I'm going to charge you for the cleanup.

Why is it any different if I've done business with you, you were foolish enough to create long term storage of that data and someone stole the data and subsequently stole my ID and started causing problems, why shouldn't I be compensated for the cost of cleaning that up?

@Verucalise(countingcalories): My data was stolen in one of those processor compromises, and then used to make a card that was used fraudulently. It played out pretty much as it should--I saw it post within a few days, Discover took it off, closed the account, and issued me a new card and number. To me, that's about the level of risk I accepted in using a card, and I don't consider myself in need of further compensation for the event. I think the credit-score ding is another issue, but I think the problem there is the way credit scores work, and that's what needs to be changed rather than a requirement for financial compensation if a security breach damages a score.

@dragonfire81: Anything that adds more cost to corporations means higher prices and more fees.

@winshape: How about ID theft (using one of those nifty IMF rubber mask machines)followed by assassination?

@winshape: I agree. As others have posted, there is a law of dimishing returns when it comes to data protection. So, another layer of protection by preventing use of your personal information would be great. However, many states/companies charge $10-$30 for each freeze/unfreeze and I know that its doesn't cost that much to do it. I think this amount should be much lower or free.

@dadelus: 2 for 1? I'm in!

Oh...wait..

@Jabberkaty: If you use your card as credit, you have VISAs 0% liability.

I think the point is the theif(s) stole 4.2 million card number before it[the hole] was found and stopped

I think all that will come of this if anything is something saying that the compromised company(s) will have to take 'reasonable' precautions in securing customer data. This will be all fine and good until another breach and (insert big company here) finds a little hole in the wall judge to hear the case and they start spouting tech terms and prove that as long as the card #'s aren't written on a piece of paper they are taking 'reasonable' precautions. This will set a precedent and then the 'cost' of these precautions will be passed on to customers so its a win win for the....companies.

@AustinTXProgrammer: This is just like Y2K. Throw gobs of money at the problem, and make consultants and engineers rich by shoving resources at a paper tiger "problem".

@tonberry: Well my combo is 54321. Figure that one out.

@Verucalise(countingcalories): We've really come full circle, haven't we? Credit cards were always sold under the rubric of "safer than cash". Now we have people like Verucalise saying that she rather "lose 200 dollars in cash" than deal with data security breach headaches and credit report monitoring.

@wcnghj: Don't think that all cardholders and merchants PAY for that zero-percent liability, over and over and over again. If it's not through fees and interest, it's paid by all of us through the prices of goods raised by the merchants for all of us to pay. There's no free lunch; and we all pay for the "peace of mind" canard.

@wcnghj: I should use it as such more often, I worry that they'll put too high of a credit hold on it. But, it's not good excuse. I should just do it.

Or better yet, start cashing my checks. Lazy, lazy, lazy...

@AustinTXProgrammer: Somewhere between your scenario and a retailer excusing losing a laptop containing 1,000,000 unpassworded consumer records by shrugging and saying, "Whoopsie!" lies the truth.

@Saboth: It is closer to they give out your key. They replace your locks and still monitor your home for 12 months. Or maybe it is like Visa replaces your locks, but you get the idea.

@athmsVT:

Kind of depends on what was compromised. If only a CC #, then yeah...replacing the locks is fine. If it was your social, mother's maiden name, etc...then you are kind of screwed.

I agree that no data can be 100% secure. Even if it were not through a network connection, someone in the data center could get at it. FTM, the cashier at the local eatery could keep a copy of your CC numbers.

However, there are likely a lot of companies that don't take care to protect the data. If they are found to be negligent in their electronic data retention/security operations then they should hang!

4.2 million credit card numbers available via an internet or network connection is insane. To keep a record of those transactions they should shuttle those to a deadnet and the records purged from the connected systems.

Just my pair-a-dimes...

@dragonfire81

If this means higher prices and more fees, then I don't want it. :

Hannaford already has higher prices. They will charge two dollars more for the same frozen food item than the WalMart down the street.

@winshape: Which doesn't keep the thieves from charging up your credit card numbers that they just stole, which reduces your available credit until it gets credited back, which dings your credit score.

And you've still got to spend hours on the phone sorting things out.

@holytrainwreck: Sadly, it is less of a paper tiger than you think. At issue is the difference between reasonable risk and UNMITIGATED risk. There are countless examples of companies failing to take any steps to safeguard consumer data. That is what is at issue here.

I'd add that these "zero-liability" clauses may not be easy to prove to a bank. My wife is currently in a dispute with her bank from our home country, where she had some modest savings. The card has been almost inactive since we moved to US and never left her physical possession. However, when there has been a purchase somewhere in Australia, the bank took a stance that the card was handed to somebody who used it there. They still didn't respond as to whether the transactions had a signed receipt, whether the signature matched that on the card, whether any ID documents were produced, etc.

Given the timeframe of this unauthorized activity, I suspect it might be the Heartland breach - I received a notice from my credit union at approximately the same time. We called Heartland hotline as to check whether her card has been compromised, but they refused to provide this information.

So, I think it should be mandatory for retailers and clearinghouses alike to:

- Notify all people involved

- Be liable for damages to consumers directly - which they could later recover from those "zero-liability" coverages by Visa and MasterCard.

And, if you'd like to know which bank you'd better avoid on your trips to Europe: Raiffeisen Bank.

@AustinTXProgrammer: Very true, and for this reason, is it very difficult to determine when something is "secure enough" to get the company off the hook. That being said, I think there's one easy distinction to draw: awareness of the issue. We've seen countless cases on this website of a consumer discovering a security hole, reporting the problem to the company, and being ignored. I think that if there is reasonable proof that the company was made aware of the issue and didn't take steps to fix it, they should be held responsible. I have no idea if this was the case in the Hannaford breach, but I think that enforcing this across the board would lead to companies taking security more seriously.

@Jabberkaty: Only place a hold will effect you is @ a gas station, hotel or when renting a car.

Why not use a credit card and pay in full each month? Or at the very least change your PIN and use the card as credit wherever you go and pay inside for gas.

@Stilor: If it was a VISA or MasterCard, contact them directly and let them know your bank isn't complying with the Visa/MC Zero liability policy.

@holytrainwreck: It's not that I want to lose ANY money... but I find carrying $200 in cash to the supermarket safer these days then using the credit/debit card. I don't plan on using a chargeback for GROCERIES.

Big purchases? Of course I want the credit card coverage. No question.

i don't think this is such a great idea. it sucks if your card gets compromised, but that's exactly why networks require issuers to protect cardholders from loss. the whole point is NOT to make cardholders go thru lengthy & expensive litigation to recover their own money.

have these cardholders actually lost anything tangible? no. issuers bear the brunt of that loss. if a court determines that people can sue on their own for damages - even abstract ones - i think it will become a wedge for issuers to lobby networks & the gov't that liability protection is no longer needed.

shifting liability to the consumer for recovering our own money is NOT a good thing.

wow...ok how the fuck can you say that all their data was left out there unprotected???? that is the most thing i have read in quite a while.

go look at the wiki page for albert gonzalez [en.wikipedia.org]

he is the one who got all the data, he is not some average joe who was walking down the street and just happened to fall onto some data, he is a genius programmer and hacker. lack of security was not an issue, an epic hacker was.

@tailstoo: Not true. It could mean lower profits... wait, what am I saying? No, wait, don't dip me in that tar and cover me with feathers.. aieee!

@Wheeldog: much like the credit card reform, eh?

@holytrainwreck: progress. gotta luv it.

@rainbowsandkittens: not to mention scapegoating some employee. . . .