Retailers ‘should be able to detect’ cyber attacks: lawyer

A breach of customer payment card information involving Saks Fifth Avenue has taken a cyber risk lawyer by surprise.

In July 2017, “malware began running on certain point of sale systems at potentially all Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor locations in North America,” the retailers’ Canadian corporate parent, Hudson’s Bay Company, announced recently. HBC publicly announced April 1 it became aware of the issue.

FILE- In this July 29, 2013, file photo, a shopper uses a Fifth Avenue entrance to Saks, in New York. A data breach at department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor has compromised the personal information of customers who shopped at the stores. The chains’ parent company, Canada-based Hudson’s Bay Co., announced the breach of its store payment systems on Sunday, April 1, 2018. (AP Photo/Richard Drew, File)

“I’m surprised it would have taken them this long to detect [the privacy breach],” Imran Ahmad, a lawyer with Miller Thomson, told Canadian Underwriter Tuesday.

“The malware was designed to collect customers’ payment card information, including cardholder name, payment card number and expiration date,” HBC said in a release. An HBC spokesperson told Canadian Underwriter the retailer is not commenting beyond what is posted to the HBC website.

HBC announced that customers whose payment card information was compromised “will not be liable for fraudulent charges that may result” and that HBC has arranged for a vendor to provide credit monitoring free of charge to affected customers. HBC said there “is no indication” that customers’ PINs, social insurance, or social security numbers have been compromised.

Incidents like this pose a liability risk for retailers because they can potentially be sued by consumers and have to expend time and effort in dealing with regulators, Ahmad said Tuesday. The organization has to mitigate damages to those whose information was compromised.

“Simply offering credit monitoring, although a good step, is not typically sufficient,” said Ahmad, whose specialties include data breach incident preparedness and privacy law. “What you need to have is some level of urgency in communicating with those affected individuals.”

Ahmad suggested there is an expectation that retailers “should be able to detect these kinds of things” unless the attack was “extremely sophisticated.”

This November, Canada will have nation-wide mandatory breach notification. The maximum fine for not complying is $100,000. Not every single breach has to be reported, but those that “create a real risk of significant harm” do.

The new regulations “will require organizations to maintain sufficient information in a data breach record to demonstrate that they are tracking data security incidents that result in a breach of personal information,” the federal government said in 2017 in a regulatory impact analysis on the new law, which was originally passed in 2015.