WASHINGTON The spotlight on massive credit card breaches at retailers has again prompted lawmakers to consider data security reform, but whether a bill will actually move through Congress is still a huge question mark.
The theft of personal data on as many as 110 million Target customers over the holidays followed by reports of a similar attack at Neiman Marcus has spurred calls for new congressional hearings on the issue, proposed legislation to protect consumer information and competing letters to Congress from Washington trade groups representing the financial services and retail industries.
"Congress is always looking for relevance," said Edward Mills, a policy analyst at FBR Capital Markets. "You don't have an incident affect that many Americans and don't at least have a hearing on it."
But while the data security issue appears to have new legs on Capitol Hill, there are still many obstacles to a bill passing. The response to the breaches has reignited a long-running fight between banks and retailers over who bears the costs of such crimes, and although the Target incident has sparked the attention of policymakers, focus on the issue could fade.
Some say a tipping point could come in the future if more data attacks are reported.
"The real wildcard is, are some other companies in the same boat that we haven't heard from and that has the potential to jumpstart things in a big way," said Mark Calabria, a former Senate Banking Committee staffer and now director of financial regulation studies at the Cato Institute.
Calabria noted, for example, how momentum quickly shifted from one accounting scandal to the next in the run-up to lawmakers passing the Sarbanes-Oxley law. "With Sarbanes-Oxley, the Enron momentum evaporated by the time they had hearings and markups. It really was WorldCom that got it done," he said.
The breaches have touched off several requests for hearings from lawmakers in both the House and Senate, including members of multiple committees, from banking to commerce to judiciary to homeland security.
Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo., recently reintroduced a bill, supported by the American Bankers Association and others, that would require retailers and banks as well as other entities involved in card payments to better protect their consumers' information and also establish national standards for notifying consumers in the wake of a data breach. Sen. Patrick Leahy, D-Vt., has also reintroduced a similar bill.
"As the recent incidents involving Target and Neiman Marcus remind us, major data breaches that compromise consumers' identities and financial security are becoming more routine," Carper said in a press release. "This bipartisan and comprehensive approach would better serve consumers by ensuring that businesses and government agencies take the steps necessary to secure personal and financial information and respond swiftly and effectively in the unfortunate event of a breach."
Data security has attracted interest from lawmakers in the wake of earlier breaches as well, but the heightened focus was never enough to get legislation through both chambers of Congress. Jurisdictional issues between the numerous congressional committees trying to lead the debate have presented problems before, and could do so again.
"There are a lot of different areas of Capitol Hill that can touch this issue, and whenever you get that many committees involved, it complicates things," said Ryan Donovan, senior vice president of legislative affairs at the Credit Union National Association.
Observers said it is still unclear if the consumer outrage over the Target incident is enough momentum to push a bill through a divided Congress ahead of the midterm elections.
"In the six to eight to 10 weeks after a breach, there's a lot of attention given to this issue, but as the headlines fade so does the attention," said Donovan. "What doesn't change is that this issue keeps coming back, and it keeps coming back because safeguards aren't taken to keep these breaches from happening."
Meanwhile, any legislative debate will likely be complicated by growing tensions which have erupted before between Washington trade groups representing the credit card and retail industries over which industry is more responsible for the breaches.
"While we are heartened by recent efforts in Congress to address these breaches, more needs to be done to make sure retailers and other entities safeguard consumers' sensitive information," B. Dan Berger, head of the National Association of Federal Credit Unions, said in a Jan. 15 op-ed in American Banker.
The spat comes just after the two industries fought tooth and nail over the legislative cap on debit interchange fees, which was added to the Dodd-Frank Act by Sen. Dick Durbin, D-Ill. The battle over interchange fees continues to be fought in the courts.
"There's a longstanding battle between banks and merchants on who bears the cost for any of these breaches, and that battle only intensifies over this," said Mills. "Banks are the ones who ultimately need to reissue cards, and they bear a lot of the cost here. But the flipside is you have a view that there are a lot of merchants paying interchange fees to cover some of that fraud. You're quickly dusting up legislative battles of the past over Durbin that nobody really wants to relive."
Donovan called the Carper legislation a "good start," but said that his group is pushing for several additional provisions to any legislation, including language that requires the entity that is breached, such as Target, to be responsible for the ensuing costs.
"When there's a breach like this, the cost of making sure the consumers are protected is covered by the financial institution that issues the card," he said. "We're the ones making the decision to reissue the card and monitor the accounts, and we also have the obligation to notify the consumer."
Merchants, however, are arguing that banks need to beef up security for their credit cards, including instituting the "EMV" chip standard that is used elsewhere around the world for authentication.
"Continuing to issue outdated cards, and saying that someone else has to pay for it when that card gets hacked, doesn't make sense. For some time now, we have been saying we need PINs and chips," Mallory Duncan, a senior vice president and general counsel at the National Retail Federation, said in an interview. "If you're going to reduce fraud, at a minimum you need both."
A Jan. 21 letter to lawmakers from NRF, suggesting that faulty security features in bank-issued cards was a culprit in the Target breach, triggered an angry response Wednesday from the Independent Community Bankers of America. "Retailers and their processors not banks are responsible for the systems in their stores," Camden Fine, the group's chief executive, said in a release.
Paul Merski, ICBA's executive vice president for congressional relations and chief economist, said in an interview that added requirements for banks in a data security bill would be misguided. He argued that the problem of data breaches has lately been "at the retail level which does not involve the financial services sector."
"We're concerned that the new focus is not misplaced on adding more and complex rules and regulations on the financial services sector if that's not where a breach occurs," he added.
Mills said the lobbying power of the two sides could put lawmakers in the difficult position of needing to choose sides in a legislative showdown.
"Given these guys are pretty equally matched on the influence side, there's not a strong desire to open up a battle," he said.