State officials are calling into question whether Scarborough, Maine-based Hannaford Bros. supermarket chain should have announced a security breach at the chain sooner.
Their position is based on Massachusetts’ 2007 consumer protection law, which requires retailers to inform consumers when their personal information has been compromised “as soon as practicable and without unreasonable delay.”
Office of Consumer Affairs and Business Regulation Undersecretary Daniel C. Crane wrote to Hannaford President and Chief Executive Officer Ronald Hodge on March 18, a day after the company acknowledged the data breach, which it first discovered on Feb. 27.
In the letter, Crane reminded Hodge of the company’s “reporting obligations” under the law, passed last summer, that require Massachusetts consumers to be notified if information including their name and Social Security, driver’s license or any financial account number is released to an unauthorized party.
Failure to comply with the law by notifying the attorney general and Office of Consumer Affairs promptly could subject the offender to court action, he wrote.
A spokeswoman for Attorney General Martha Coakley said her office is in communication with Hannaford’s “to ensure that appropriate notifications are made.”
Hannaford Bros. announced on March 17 that some 4.2 million consumer credit and debit card numbers and expiration dates – but not the associated consumer names, which the company said it does not collect – may have been compromised between Dec. 7 of last year and March 10.
It acknowledged the breach publicly only hours after the Massachusetts Bankers Association released a statement that a data breach had occurred at an unknown retailer and was affecting about 70 Bay State banks.
Credit card companies had earlier refused to release the name of the retailer involved, citing their contracts with the retailer.
The breach has led to approximately 1,800 fraud cases to date, the Associated Press reported.
Consumer information potentially was compromised at more than 270 Hannaford and Sweetbay grocery stores throughout the Northeast and Florida, according to the news agency.
The case is being investigated by the U.S. Secret Service.
‘The Strongest’ Systems
HarborOne Credit Union President and Chief Executive Officer James Blake, who is also chairman of the Massachusetts Credit Union League, said his $1.5 billion institution was notified by Visa on March 14 that about 2,000 of its customers’ Visa card accounts were compromised.
That compares to approximately 10,000 HarborOne cards compromised during last year’s data breach at Framingham-based clothing retailer TJX Cos., Blake said. The TJX breach has been called the largest in U.S. history.
Blake said he’ll be interested to see whether Hannaford Bros. was adhering to data security standards required by contract with its payment processing bank. Merchants do not contract directly with MasterCard and Visa, but with a processing bank that in turn contracts with the credit card companies. MasterCard and Visa require processing banks to have data security standards in place.
Following a Massachusetts Bankers Association lawsuit against TJX settled last December, MBA said 70 percent of the country’s largest retailers were compliant with payment card industry security standards, compared to just 40 percent in June 2007.
If it’s shown that Hannaford did not adhere to the standards, that will highlight the continuing risks financial institutions and consumers face, Blake said.
In its online statement, Hannaford said it believes its data security systems “are among the strongest in the industry.”
Retailers Association of Massachusetts President Jon Hurst said some breaches could be avoided if banks and credit unions would favor personal identification numbers, or PINs, instead of customer signatures during transactions.
PINs typically don’t appear in the same place as credit card numbers during data breaches, Hurst said, so it’s less easy for consumer information to be compromised.
But Blake said data thieves involved in large-scale data breaches “are not running around trying to match signatures.” The thieves are much more sophisticated, he said, and are using the data to perpetrate other kinds of fraud.