It’s a Small World | By Laura Alix
Discussion of the cost and consequences of data breaches inevitably calls for a more even distribution of financial responsibility for dealing with breaches at retailers, though bankers meanwhile have done what they can to mitigate their own security threats and recoup their customers’ losses.
In Massachusetts, there’s a bill pending before the state Legislature – introduced a year ago, well before the Target breach – that calls for some of the same measures advocated by the National Retail Federation in a Jan. 21 letter to U.S. lawmakers. The discussions in Massachusetts very likely mirror concerns raised in other states, and some of the provisions in the proposed bill are sure to have national resonance in the months ahead.
David Floreen, a senior vice president at the Massachusetts Bankers Association (MBA), likens it to the assumption of liability in an automobile accident: The driver who caused the accident is responsible for assuming whatever automotive or medical costs the other driver may have incurred.
Likewise, a retailer whose lax data security posed an easy target for hackers would have to reimburse those banks who shell out to reissue their customers’ compromised cards.
Secondarily, the bill would also repeal a state statute that prohibits banks from informing customers as to where the breach occurred – something the National Retail Federation brought up in its letter.
Floreen pointed out that the legislation doesn’t single out retailers, or any other link in the payment chain. Under the Massachusetts bill, banks, card processors and retailers would be equally responsible for protecting consumers’ sensitive data from cyber thieves.
But though retailers may have suffered the PR fallout from these data breaches, banks have actually been footing the bill for replacing their customers’ cards.
During a hearing before the Massachusetts Committee on Consumer Protection and Licensure in late January, James Gordon, a banker speaking on behalf of the MBA, noted the irony in capping the interchange fees banks collect on debit and credit card transactions, while retailers are largely free of having to absorb the financial losses resulting from card fraud.
“Currently, merchants and other data processors have little legal or financial incentive to ensure compliance with high data security standards and imposing financial liability on those entities to cover the card replacement and fraud losses absorbed by banks that are associated with a breach will provide a greater incentive on those entities to develop, implement and monitor stronger protections for their customers,” Gordon told the committee.
But banks are also using the crisis as an opportunity. “Some used their social media presence very well in trying to educate their customers on the situation and giving a heads-up to keeping an eye on their credit reports,” said Matt Putvinski, director of IT assurance and security services at Wolf & Co. “It’s definitely an opportunity for banks to act as the customers’ ally, and if any of them didn’t take that opportunity, they missed out.”
While the safest course might seem to be a wholesale reissuance of every potentially compromised card, that solution could also prove prohibitively expensive, particularly for smaller banks. “If financial institutions start reissuing cards every time one of these breaches happens, it’s just going to become extremely costly. You’re going to start regularly seeing these incidents occur,” Putvinski said.
Some banks did reissue those potentially compromised cards, others reissued cards only upon the customer’s request and still others carefully monitored their customers’ accounts for fraud.
Meanwhile, John Carlson, executive vice president of Technology Risk at the Financial Services Roundtable (FSR), thinks the onslaught of cyberattacks will galvanize more support for EMV, or chip-enabled cards, which are harder to duplicate than the magnetic stripe cards presently used by most Americans.
Carlson said a number of players, including FSR and multiple law enforcement agencies, are working behind the scenes to improve information sharing, crisis management response and legislative advocacy on this front, as well.
“The cyber threat environment is such that, whoever’s behind this, they’re getting much more sophisticated,” Carlson said. “We know that from working with our security professionals and our financial institutions, it’s in some respects an arms race. Even the consumer has to be constantly vigilant.”■