Post Target Breach Pontification: What’s Next?

I’ve been thinking some more about the Target breach (and, of course, Nieman Marcus and Michael’s and perhaps others’ data breaches) and the general state of responsiveness to it. After all, how could I not … the topic of retail data breaches is, well, um, all over the news.

So with a tad bit of historical hindsight, I think it’s worth considering the following ideas:

• Korea as a Benchmark? There’s been a lot written about the concurrent – and apparently unrelated – card data breach in South Korea. I am by no means an expert on the South Korean payment infrastructure, but some of the articles have given me pause and made some industry people think about this in the context of the Target incident. Look at this headline, for instance: “37 South Korean Bank Execs Offer to Resign Over Breach. Should Target Execs Follow Suit?” And while this incident appears to be the direct result of a rogue employee, the timing is forcing people to inevitably draw parallels.
• Our Collective Forgetfulness: Many of the banking industry people I have spoken with in the past few weeks all wonder out loud if we’re just going to forget these large retail card data breaches, much in the same way that it would not be too difficult to argue that the TJX and similarly headlined data breaches have been shipped off to the dustbin of “old news”. The fact that they are rarely even mentioned in the news coverage mentioning the Target/Nieman/Michael’s breaches is indicative of this forgetting, in my opinion. Obviously no one can say what we will all remember from these incidents in one, three, or five years, but the fact remains that there is a very strong likelihood (I would peg it at north of 50%) that many of these incidents will also be forgotten.
• Congress & the Justice Department: The Justice Department has indicated it is launching an investigation. Numerous states are as well. And both the Senate Banking Committee and House Financial Services Committee have begun to hold hearings. Does this mean that any of this will lead to changes? Will new laws be passed? Again, only time will tell, but I suspect the impact will not be as significant as people assume.
• The Card Networks: Despite having been constructed in a pre-Target breach world, VISA and MasterCard are both standing by the original EMV liability shift deadlines and refusing to back down in the face of growing pressure from merchants and lobbyists. What comes of this will be a fascinating duel, but for the time being, the networks plan to stick with the original 2015 dates. This sticking with the original date is all the more interesting in light of the fact that the unrelated debate about how to route EMV debit transactions and network choice has not been resolved, touching on how much The Secure Remote Payment Council (SRPc) will remain involved and how hard the ATM Industry Association (ATMIA) plans to continue pushing things along.
• Sweden, Australia, Canada: There have been a few good articles and research reports comparing the US to countries like Sweden, Australia, Canada, and others. After all, with nearly 80 countries around the world already using EMV technology, the question must be asked, “Why on earth is it taking so long for the US to move to EMV?” For now, I think it is blatantly obvious to most people that the more the US remains a non-EMV country, the more others’ fraud will come to our shores.

So while the Target/Nieman/Michael’s data breaches remain fresh and on the top of most people’s minds, it is also evident that some initial lessons can be gleaned. The topics above represent some of the ways in which we might find ourselves thinking about this incident months and years from now.