U.S. PIRG Consumer Blog: WSJ: Are stores following state data breach laws?

Over at the Wall Street Journal, in a followup story today on the indictment of 11 hackers (previous blog) over the theft of 40 million credit and debit card numbers, questions are asked. According to Some Stores Quiet Over Card Breach: Customers Not Told About Alleged Theft of Consumer Data by Joseph Pereira, Jennifer Levitz and Jeremy Singer-Vine, (pd. subs. req'd): While four chains clearly notified customers of massive data breaches as required by over 40 state laws (Consumers Union list), two chains did not and three chains won't say if they did or not.

Excerpt:

Dan Clements, chief executive of Affinion Security Center's CardCops unit, which monitors Internet chat-rooms for illegal trafficking of credit and debit cards, says many companies are reluctant to disclose breaches. "Telling the public that they've been breached is embarrassing for them, it makes them suffer a loss of goodwill and in the case of public companies, the stock price goes down."

The story notes that four chains -- TJX Cos., BJ's Wholesale Club Inc., shoe retailer DSW Inc., and restaurant chain Dave and Buster's Inc. -- followed brech disclosure laws. The two that did not -- Boston Market Corp. and Forever 21 -- told the WSJ they weren't sure they'd been breached.

"The other retailers -- OfficeMax Inc., Barnes and Noble Inc., and Sports Authority Inc. -- wouldn't say whether they made consumer disclosures."