US banks and retailers appear to be on a collision course after reports emerged that the banking industry is lobbying for changes in the law that would make retailers responsible for paying all costs associated with a breach of their systems.
The argument between the two sides appears to have flared up after several high profile retail data breaches this year which the banks ended up contributing significant sums towards in the aftermath, despite the main security incident having occurred on the retailers’ side.
When Home Depot was struck by a cyber-attack, for example, banks and credit unions were forced to pay $160m for card re-issuing and other associated costs, while the store estimated it lost at least $62m, according to the FT.
Financial services industry bodies are apparently now joining forces to lobby lawmakers into introducing new legislation which would force retailers to foot the entire clean-up bill.
The Independent Community Bankers of America, the National Association of Federal Credit Unions (NAFCU), the Credit Union National Association, the Consumer Bankers Association and the Clearing House are all behind the plan, the report said.
The NAFCU’s website states the following, which it says should be “addressed in any comprehensive data security bill”:
“NAFCU asks that credit union expenditures for breaches resulting from card use be reduced. A reasonable and equitable way of addressing this concern would be to require merchants to be accountable for costs of data breaches that result on their end, especially when their own negligence is to blame. The entity that is best situated to mitigate the risk to sensitive data should be the liable party when a breach occurs.”
Phil Lieberman, CEO of Lieberman Software, argued that this is a classic case of the “pot calling the kettle black”.
“The card issuers in the US have been fighting tooth and nail to inhibit EMV chip technology for the past decade, and then blaming the retailers for card not present fraud caused by the lack of EMV technology on their part,” he claimed.
“On the other hand, many large retailers have engaged in a pattern of egregious disregard for the most basic elements of security that EMV adoption will have no effect on improving – think email and customer lists.”
CEOs of large retailers too often see security as a “reactionary spend to resolve point-in-time incidents,” with proactive approaches largely ignored as wasteful.
“For many CEOs the idea of investing in cyber-security is seen as a waste of shareholder profits,” said Lieberman.
“It is clear that now is the time for the legislature to put down some bright lines and serious consequences for CEOs that disregard the rights of their customers by not investing in security as well as processes to secure the personal information of their customers.”
Fujitsu UK & Ireland cyber-security solutions architect, Rob Lay, argued the clash between banks and retailers should be seen as more evidence that firms need to develop more advanced security.
“Given that consumer tolerance for data loss is at an all-time low, and that the threat landscape is developing at an increasing rate also, remaining reactive to security challenges is no longer sufficient,” he added.
"Businesses should look to create a strategic approach to security that allows them to analyse the threats that the business actually faces, and look at ways to develop a proactive stance to dealing with those threats in a flexible and consistent manner before breaches and security incidents occur.”