= Subscriber content; or subscribe now to access all American Banker content.

Congress Must Make Retailers Responsible for Data Breaches

It's time for Congressional action on data security.

According to Open Security Foundation, 2013 set a 10-year high for the number of data breaches. The Identity Theft Resource Center documented more than 600 breaches in 2013. PC World dubbed 2013 the year of the personal data breach.

The Target data breach has become a "never-ending story" and the recent revelation of the data breach at Neiman Marcus is likely to reinforce consumers' growing alarm at their vulnerability. 

Beyond the national data breaches, IRTC confirmed that many others happened at a more local level. While the causes of these data breaches may have been varied, what they all have in common is that consumers' personal data, and in many instances, their financial account information, were ultimately put at risk. 

Many Americans may not realize that data breaches can happen at any retailer, large or small. They also may not be aware of the risks associated with each transaction. In a data breach, the consumer is exposed to potential identity theft, fraudulent charges and damage to their credit scores and reputations.

While we are heartened by recent efforts in Congress to address these breaches, more needs to be done to make sure retailers and other entities safeguard consumers' sensitive information.

Financial institutions, including credit unions, have had certain standards of data protection in place since the 1999 enactment of the Gramm-Leach-Bliley Act. However, retailers and other entities are not subject to these same requirements.

Financial institutions also bear a substantial burden as the issuers of payment cards. In the event of a merchant data breach, for example, credit unions must notify accountholders, issue new cards, replenish stolen funds, change account numbers and accommodate the increased customer service demands that follow. They do this to protect their members, often at great expense, without help or compensation from the breached entity. They are often forced to charge off fraud-related losses, many of which arise from a negligent entity's failure to protect sensitive financial information or from its illegal maintenance of data.

The recent Target data breach confirms that cybercriminals are successfully capturing vital consumer data, and are often unchecked in their criminal efforts.  The failure to strengthen the protection of this consumer data undermines still-fragile consumer confidence and potentially puts our whole economy at risk.

Unfortunately, the retailers continue to balk at the notion of being held responsible for their part in safeguarding consumers' sensitive data. The National Association of Federal Credit Unions believes if retailers want to reap the rewards of consumer sales, they should also take an active role in protecting their data.

It is with this in mind that NAFCU is calling on Congress to make comprehensive data security legislation a priority in 2014. We urge Congress to address the following issues related to data security:

  • Require merchants to pay for the costs of breaches on their end, particularly when negligence is in play.
  • Require any business entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.
  • Require merchants post their data security policies at the point of sale if they take sensitive financial data.
  • Require the timely disclosure of the identities of breached companies and merchants.
  • Enforce data retention prohibitions in existing agreements and establish statutory standards prohibiting the retention of payment card information by retailers.
  • Require merchants to notify the account servicer or owner, including a financial institution, of any      compromised personally identifiable information associated with the account.
  • Require any breached merchant or retailer to demonstrate all necessary precautions have been taken to guard data.

Simply put, Congress needs to protect Americans against the data thieves that can be lurking at every transaction, online and in stores. NAFCU urges lawmakers to make 2014 the year of data security by implementing stricter standards on the under-regulated entities that hold personal data. Without this fix, it is just a matter of time until consumers are once again harmed in the next data breach.

B. Dan Berger is president and CEO of the National Association of Federal Credit Unions.



(3) Comments



Comments (3)
Dan is EXACTLY correct in his views, and ICBA fully agrees.
Posted by commobanker | Thursday, January 16 2014 at 4:12PM ET
Mr. Berger contends credit unions and banks pay a "substantial" (but unspecified) amount when thieves steal personal information.

The fact is, as reported by the authoritative Consumer Reports in 2011, "the Mercator report estimates U.S. card issuers' total losses from credit- and debit-card fraud at $2.4 billion. That figure does not include losses borne by merchants, which probably run into tens of billions of dollars a year."

Mr. Berger urges that merchants pay even more. But in fact if the losses for data breaches and fraud were actually divided up fairly (whether according to fault or otherwise), credit unions and banks would pay more and merchants would pay less.

And merchants pay those heavy costs whether the breach was their fault or not. Why? Because the credit card giants, Visa and MasterCard, stack the rules against retailers.

Without real standards set by an objective third party, the card networks make the rules - often to the detriment of merchants and credit unions.

To cite just one vulnerability in the system the two companies have created: Retailers sometimes have to take encrypted customer data and de-encrypt it in order to send it to a bank or credit union because many have not upgraded their systems to allow them to accept encrypted data. If a retailer is breached at that point, the fines, penalties and fraud costs fall on the retailer - even though the retailer had invested heavily to encrypt its data.

Here's another example: When banks or credit unions have breaches (and they most certainly have them), they often don't reissue cards. Instead, they take the risk that there won't be too much fraud and stick merchants with the bill for some of the fraud that does occur.

So merchants welcome hearings and legislation to tighten the security of our nation's bank-card system, enforced by a neutral regulator or standards body that will require Visa, MasterCard and financial institutions to play fair and do far more than they do now to improve security.

Credit unions and merchants alike would be better off with those types of changes.

Michael Flagg
Merchants Payments Coalition
Posted by Merchants Payments Coalition | Thursday, January 16 2014 at 4:04PM ET
While all the checks and balances you outlined are good, they don't address the problem. We need to incent the merchant community to move to EMV.
Posted by jpearce007 | Wednesday, January 15 2014 at 5:09PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.