Small Banks Shouldn't Pay for Retailers' Mistakes
No amount of diligence on the part of financial institutions will help prevent future data breaches until retailers are subject to the same national data security standards that apply to banks and credit unions
Customers affected by cyberattacks frequently direct their wrath at financial institutions, whether or not a bank is responsible for the breach. Therefore banks need to have a strategic communications strategy in place.
At a recent conference, industry leaders including Pawlenty of the Financial Services Roundtable and Ellen Richey of Visa spoke of the security basics banks still overlook.
If there was any question about the need for Congress to modernize our nation's data-security laws, the recently announced settlement between Target and MasterCard should put all doubts to rest.
Target has agreed to reimburse affected MasterCard-issuing banks roughly $19 million following the retailer's massive 2013 data breach, which incurred significant costs for thousands of community banks. MasterCard issuers have to choose by Wednesday at 5 p.m. whether to accept pennies on the dollar for the costs of reissuing cards compromised by the retailer's breach or to continue the costly and risky road of litigation.
Neither option is particularly desirable. And it follows a bit of a Catch-22 for those community banks that had to respond to the Target breach in the first place. Reissuing compromised cards incurs not just an expense, but also the wrath of customers who feel inconvenienced and blame their banks for retailer breaches. But choosing not to reissue compromised cards, which would put customers and issuing banks at considerable risk, is simply not an option.
Talk about being caught between the devil and the deep blue sea. Community banks had to reissue nearly 7.5 million credit and debit cards at a total reissuance cost of more than $90 million as a result of last year's Home Depot data breach, according to Independent Community Bankers of America data. That follows a reissuance of more than four million payment cards at a cost of more than $40 million after the data breaches at Target and Neiman Marcus less than a year before. That's a total of 11.5 million debit and credit cards, costing more than $130 million.
So how can we keep credit- and debit-card issuers and their customers from paying the price for data breaches at retailers? The court system certainly hasn't gotten us very far. The legal battle between these retail and payments behemoths has left affected community banks as collateral damage. What really has to change is the law itself, which is why Congress must finish the job of reforming our data-security system.
To effectively protect against the threat of data breaches, Congress must ensure all participants in the payments system including retailers are required to play by the same set of rules. Under current law, merchants are not subject to the same federal data security standards and oversight as financial institutions, which are required to meet a host of regulations laid out in the Gramm-Leach-Bliley Act.
Further, policymakers should ensure that the costs of data breaches are borne by the breached parties. Requiring breached parties to shoulder the cost would align incentives to maximize data security by all parties that store consumer data, making the payments system stronger over time.
The security of our payments system is only as strong as its weakest link. Securing financial data at financial institutions is of limited value if it remains exposed elsewhere. That's why applying consistent standards to all participants and requiring everyone in the system to take responsibility for the breaches they incur is crucial to truly protecting our most sensitive information.
Camden R. Fine is president and chief executive of the
Independent Community Bankers of America. Follow him on Twitter @Cam_Fine.