Heartland: What We've Learned
Mind you, I didn't have any delusions. After the breaches, news events and regulatory issues of 2008, I didn't think we were going to turn the calendar page and emerge in a new world of a healthy economy and soaring consumer confidence.
But neither did I think, four weeks later, we'd already have our first major security breach of the year - Heartland Payment Systems (HPY) and that it would so dominate our industry's attention.
Reputationally, you just can't measure the damage - Heartland is now synonymous with "breach," and that's a tough tag to shake.
I get it, though, why we're so enamored of this case. It speaks to our biggest fears, first of all, that unknown electronic assailants can sneak into our systems and pry away our customers' names and critical information. Then there's the unknown enormity - we truly don't know how big this breach was. And, finally, it hits home. For you, the banking institution, you're the one left replacing your customers' cards and explaining why. For me, the banking customer ... well, mine is one of the banks doing the explaining. Needless to say, we're monitoring accounts closely.
So, we were among the first to break the Heartland story when it first broke last Tuesday, and we've continued to follow it closely. After the initial media surge, where we saw news outlets and solutions providers tripping over one another to opine over what they think happened to Heartland and what it all means, here is what I believe we've learned so far from the case:
1) The Damage Goes Far Beyond the Breach. Heartland execs absolutely did the right thing by stepping forward last week and saying "We were breached," but the company has suffered for it ever since. The market responded to the news by gutting the company's value from over $14 per share last Tuesday to a low of just under $8 this week. Reputationally, you just can't measure the damage - Heartland is now synonymous with "breach," and that's a tough tag to shake. Unable to answer questions about exactly what happened and how many consumers were exposed to hackers, Heartland execs have instead tried to put the focus on rallying the payments industry to fight cyber crime. But too little, too late? Heartland CEO/Founder Robert Carr does himself no favors by referencing the Tylenol tampering case in his public statements. Seven people died in that notorious 1982 incident. That's not the association Heartland needs.
2) This May be Just a Harbinger of Breaches to Come. I rolled my eyes a bit when I saw the PR blurbs last week about "bigger than TJX" and "biggest data breach in recorded history." But as I hear industry experts discuss this case now, I understand their legitimate concerns. Not so much because we don't know how many cards were exposed, but because we don't entirely know how many other payment processors might be vulnerable. As security experts such as Gartner's Avivah Litan point out, the processors are the new target for hackers because - hey, that's where the money is. And, hey, that's also where there's a whole lot less industry regulation and examinations on information security measures that could better prevent such breaches. Which leads to ...
3) We've Got to Discuss Stronger Regulation for Non-Banking Entities. I know, we're all security-conscious adults here, and we'd like to think that companies invest in bleeding-edge information security measures because that's just the right thing to do. But the reality is - especially in economic times such as these - companies to do what they have to do, not just what they should. Banks and credit unions, which are overseen by agencies such as the FDIC and NCUA - they're examined regularly and have their feet held to the fire on security matters. In the case of companies such as Heartland, overseen by the FTC, there are no examinations to ensure good practices - just penalties to punish the bad. Yes, there's the PCI DSS, but as its name says -- it's a standard, not a regulation. As the Obama Administration and Congress sit down to discuss new regulatory measures, it's time to look closely at non-banking entities that handle personal and financial information. We're talking retailers that hold all your personal data and buying habits. Auto dealers that run credit reports and manage your loans. And, yes, payments processors that run your card when you buy a meal or order a book. If these companies are going to hold our data and conduct financial transactions, then they need to be held to the same measure as banking institutions. But they aren't going to volunteer for tougher regulations and sanctions.
I'm curious to hear your thoughts. What's your take on the Heartland breach, how it's been handled and reported, and what do you think needs to happen next to prevent similar crimes?