Canadian retailers need to shake their computer security complacency

The term “buyer beware” used to mean that you might regret the purchase you were about to make. Now it basically serves as a warning that no matter where you shop, your personal data may be at serious risk.

This week, following the recent high-profile computer security attacks at Target, Nordstrom and other major U.S. merchants, the Retail Industry Leaders Alliance based in Arlington, Va. announced the formation of a council that will focus on cybersecurity issues and a push for better laws to notify consumers when an attack occurs. In Canada, meanwhile, major Canadian retailers announced ... nothing.

Part of the problem, according to Toronto-based security and privacy consultant Claudiu Popa, is that Canada has been ahead of the U.S. in some areas, like our adoption of chip and PIN technology on credit and debit cards. The U.S. is still largely a mag-stripe market (though the retail association hopes to change that soon).

“It’s been a bit of a disconnect in Canada because we’ve had the advanced POS (point of sale) systems in Canada,” he said. “The problem is one of legislation and one of enforcement.”

More specifically, Popa points to the fact that we still lack any real data breach notification legislation in Canada, which means if an attack hits a retailer here, there’s little consistency in how quickly customers are informed. There are also security standards that Canadian retailers have adopted to make sure data is protected, but he says it all depends on how well you do it.

On the other hand, Canada does have some well-regarded privacy laws such as PIPEDA that are more in line with stringent European rules and regulations, said Akshay Kalle, CTO at Pathway Communications, a Toronto-based ISP that offers security services. What complicates the situation across the retail sector is the drive to make the various computer systems that stores use to collect, store and manage customer data more enmeshed.

“Everyone wants it interconnected, to have all the systems to tie into one another. That’s great for growing your business, but it creates huge holes in your security,” he said. “Consumers want that type of convenience and we expect that from commerce in general. If we want everything to be integrated, they’re going to try and meet that. But every time they bring in a new system, it brings in new areas of vulnerability.”

Retailers are certainly under pressure to compete and reach consumers in new ways, from online portals and mobile apps to social media channels and more. The trade-off for consumers may be greater risk, but no one’s educating them about what those risks really are. Instead, they learn by watching the horror stories of what’s happening south of the border, which could eventually prompt more preventive measures closer to home.

The other thing that may force Canadian retailers to be more proactive about security is the growing move to partner with financial services firms that allow them to offer branded credit cards and debit cards as a sort of loyalty program. The banks take security more seriously than almost any other sector, which is why you rarely hear of computer security attacks bringing down your local branch. It’s unlikely banks will form relationships with retailers that can’t demonstrate an ability to keep cyber-criminals at bay.

Ironically, all the innovative things retailers are doing with technology is designed to boost sales by deepening customer trust. Then they blow it by leaving themselves open to attack. If only they would realize that, with computer security as with so much else, you get what you pay for.

Search