When shoppers swiped their credit and debit cards to pay for purchases at Barnes & Noble stores last year, they didn’t expect to have their card and personal identification numbers (PINs) stolen. But hackers had breached point-of-sale keypad card terminals at 63 Barnes & Noble stores in nine states. When the company discovered the attack in September 2012, it decided as a precautionary measure to discontinue use of all PIN pads in its nearly 700 stores.
At the Justice Department’s request, the company did not inform consumers of the data breach for more than a month so the FBI could investigate the crimes first. Although it did notify customers in late October, the retailer’s website at press time said the company was still seeking to identify compromised accounts. Barnes & Noble thus became the latest in a long string of companies to face the public relations nightmare, financial drain and potential legal risks of coping with a significant data breach.
Doing the right thing starts with encryption, the process of encoding information so it is unreadable to hackers. At least 46 states have enacted security breach laws requiring notices to consumers, but if personal information is encrypted, notice generally is not required.