Small Banks Shouldn't Pay for Retailers' Breach Mistakes

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.paymentssource.com/news/paythink/small-banks-should-not-pay-for-retailers-breach-mistakes-3021395-1.html

If there was any question about the need for Congress to modernize our
nation’s data-security laws, the recent settlement negotiation between
Target and MasterCard should put all doubts to rest.

Target agreed to reimburse affected MasterCard-issuing banks roughly $19
million following the retailer’s massive 2013 data breach, which incurred
significant costs for thousands of community banks.

MasterCard issuers had to choose whether to accept pennies on the dollar
for the costs of reissuing cards compromised by the retailer’s breach or to
continue the costly and risky road of litigation. As of May 22, fewer than
90% of the qualified accounts had opted into the settlement, so the
settlement has not become effective, according to a statement from Target.

Neither the settlement nor litigation is particularly desirable. And it
follows a bit of a Catch-22 for those community banks that had to respond
to the Target breach in the first place. Reissuing compromised cards incurs
not just an expense, but also the wrath of customers who feel
inconvenienced and blame their banks for retailer breaches. But choosing
not to reissue compromised cards, which would put customers and issuing
banks at considerable risk, is simply not an option.

Talk about being caught between the devil and the deep blue sea. Community
banks had to reissue nearly 7.5 million credit and debit cards at a total
reissuance cost of more than $90 million as a result of last year’s Home
Depot data breach, according to Independent Community Bankers of America
data.. That follows a reissuance of more than four million payment cards at
a cost of more than $40 million after the data breaches at Target and
Neiman Marcus less than a year before. That’s a total of 11.5 million debit
and credit cards, costing more than $130 million.

So how can we keep credit- and debit-card issuers and their customers from
paying the price for data breaches at retailers? The court system certainly
hasn’t gotten us very far. The legal battle between these retail and
payments behemoths has left affected community banks as collateral damage.
What really has to change is the law itself, which is why Congress must
finish the job of reforming our data-security system.

To effectively protect against the threat of data breaches, Congress must
ensure all participants in the payments system—including retailers—are
required to play by the same set of rules. Under current law, merchants are
not subject to the same federal data security standards and oversight as
financial institutions, which are required to meet a host of regulations
laid out in the Gramm-Leach-Bliley Act.

Further, policymakers should ensure that the costs of data breaches are
borne by the breached parties. Requiring breached parties to shoulder the
cost would align incentives to maximize data security by all parties that
store consumer data, making the payments system stronger over time.

The security of our payments system is only as strong as its weakest link.
Securing financial data at financial institutions is of limited value if it
remains exposed elsewhere. That’s why applying consistent standards to all
participants and requiring everyone in the system to take responsibility
for the breaches they incur is crucial to truly protecting our most
sensitive information.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!