Concerns about data breaches aren't new to the retail and banking industries or to lawmakers, but the challenges still facing various stakeholders were on display in February, at congressional hearings about recent hackings at Target and Neiman Marcus.
Target's chief financial officer, John Mulligan, acknowledged the retail chain was not aware of a possible breach until it was notified by the Justice Department in mid-December. John Kingston, the chief information officer at Neiman Marcus, says his company learned of a problem when MasterCard reported that more than 100 credit cards used at the luxury goods retailer were reported to have fraudulent activity.
Debate at the hearings focused a good deal on actions that banks and merchants can take together to improve protection of credit and debit cards, including implmentation of chip technology used in Europe and elsewhere around the world, which would replace the magnetic stripe on the back of most U.S. cards today.
Lawmakers pressed witnesses as to why the technology has not advanced more quickly here, given ongoing concerns about data security. Mulligan said Target tried to adopt chip technology with its store cards more than a decade ago, but that the effort needs to be matched by others in the industry. "We put guest payment devices, as we call them, in our stores to read chips. We introduced a new payment card, a Target Visa card, with a chip in it," he told the Senate Judiciary Committee. "But without broad adoption, there isn't significant benefits for consumers."
Some lawmakers, including Sen. Robert Menendez, D-N.J., questioned whether it would be prudent to legislate improved standards without mandating specific technology, which could quickly become outdated given the current pace of innovation in the financial services arena.
But "at what point," he asked, "should it be considered a reasonable security risk for a company not to be using chip-and-PIN technology or something that performs equivalently?"
Lawmakers also asked witnesses whether additional security standards are needed for debit cards, as well as credit cards. " ... [G]rowth in debit cards is coming [from] younger folks and the underbanked community, who potentially are the most vulnerable if they don't have these protections," said Sen. Mark Warner, D.-Va. "It would seem to me that equalizing cards on the same standard makes common sense, too."
James Reuter, an executive at First Bank in Colorado who was representing the American Bankers Association at the hearings, downplayed the need for congressional action on the issue, saying that banks already are doing enough to protect consumers using debit cards.
"I'm not sure additional legislation is needed, because we are adhering to a zero-liability policy as a matter of our business practice," he said.
Consumer advocates shot back, arguing that more could be done to protect consumers in the case of debit card fraud. "The issue here is that zero liability may not occur in all circumstances. It may only apply to signature transactions, not to PIN-based transactions," said Edmund Mierwinski, consumer program director at the U.S. Public Interest Research Group.
"And also I would look at the zero-liability contract and say, 'What if I had two violations in a year; do they honor the second one?' Because some banks don't."
Several lawmakers, including Judiciary Committee Chairman Sen. Patrick Leahy, D-Vt., referenced proposals for legislation to beef up data security standards and consumer notification. But it's unclear if momentum will coalesce around any one bill.
In the meantime, lawmakers urged the industries involved in the breaches to beef up their efforts to protect against cybercrime.
"I think that the industry, or maybe I should say industries, have a lot of soul searching to do about whether they've been protective of consumer information," said Sen. Richard Blumenthal, D-Conn. "Because, as we know, you can apprehend, investigate, prosecute criminals, but rarely does that compensate [consumers] when they are victims of identity theft."