(Reuters) – Massachusetts lawmakers are considering a bill that would make companies liable when hackers breach their security systems and steal credit card data and other precious information, state officials said on Thursday.
The law would be the first of its kind in the United States, forcing retailers and other companies along with government agencies and nonprofit groups to pay for losses if financial data is stolen, said state Rep. Michael Costello, a Democrat.
They would bear full responsibility for all fraud-related losses, along with costs from the canceling and reissuing of credit cards, and the cost of freezing accounts and credit information in cases of identity theft, according to the bill.
U.S. House Financial Services Committee Chairman Barney Frank, a Massachusetts Democrat, told Reuters he is drafting a similar provision for a federal bill that he expects to introduce to Congress in the next month or two.
Americans lost $49 billion to criminals who stole their identities last year, according to Javelin Strategy & Research, a California-based data research firm.
The Massachusetts bill follows a high-profile computer security breach that may have compromised tens of millions of credit and debit cards at TJX Cos. Inc., a Framingham, Massachusetts-based retailer that operates the T.J. Maxx and Marshalls chains.
“We felt that ultimately the bill would encourage retailers and business entities that hold custodial privileges over information to invest in secure systems that are out there,” said Costello, who sponsored the bill.
Seventy percent of Massachusetts companies are not investing in state-of-the-art encryption and monitoring systems to prevent hackers from breaking in, he said.
The legislation, which was sent last week to a consumer protection committee in the state’s House of Representatives, has strong support from banks but is opposed by retailers who say consumers will not benefit and small companies will suffer most.
Small businesses would incur an extra layer of costs for more security and in cases of big breaches, said Jon Hurst, president of the Retailers Association of Massachusetts, which represents 2,000 firms.
“Such a pyramiding of fees could put small businesses right out of business,” said Hurst.
Doug Johnson, senior policy advisor at the American Bankers Association in Washington, said Massachusetts would be the first U.S. state to shift the financial responsibility from banks to retailers.
He added that the cost of reissuing cards and notifying customers actually exceeds that of fraudulent transactions because “you’re notifying a very large number of people”.
Currently, if credit card data is stolen, banks must pay the cost of notifying customers, issuing new cards, shutting accounts and covering the costs of fraudulent purchases.