How Can Retail and Financial Groups Prevent Another Target Breach?
With cybercrime a major threat to both the retail and financial spaces, industry groups that at times are at odds suddenly find themselves on the same team. A conference this week highlighted how trade groups hope to tackle the issue together.
But Rep. Mike Rogers (R-MI) says the news about Jennifer Lawrence’s iCloud account might have been what got people to stop hitting the snooze button and start paying attention.
“I think this woke up a whole new generation of Americans to say, ‘Wait, somebody hacked into these people’s accounts,'” the House Intelligence Committee chairman said in comments at the 2014 Merchant-Financial Services Cybersecurity Summit on Wednesday in Washington, DC. The event was put on by Bloomberg Government and the Merchant Financial Cyber Partnership, a coalition of 19 retail and financial trade groups first announced earlier this year.
Rogers’ point about the celebrity photo hack that made big headlines this month—and his dire predictions about data security, joined by Sen. Saxby Chambliss (R-GA), vice chair of his chamber’s Intelligence Committee—speaks to what the financial and retail industries are up against as they try to draw attention to serious security threats.
The summit, headed up by the Retail Industry Leaders Association (RILA) and the Financial Services Roundtable (FSR), was organized to highlight efforts by associations in the financial and retail industries to improve security through information-sharing. It’s a noble goal, but one that comes with significant challenges:
Business concerns: A cybersecurity breach can have a serious consequences for a stock price or, in Target’s case, foot traffic. And while data sharing among retailers and financial firms may help prevent breaches, it can lead to antitrust questions and can risk exposure of sensitive threat information that companies and law enforcement want to keep secure. A new federal law (along with the patchwork at the state level) could help clear up some of these issues, but getting it passed might prove a challenge. “We don’t have a sense of urgency on this the way we need to have a sense of urgency on this,” Rogers said of the legislation already pending in Congress.
The drumbeat of technology: Laws currently on the books do encourage financial data security—most notably the Electronic Fund Transfer (EFT) Act of 1978. The problem is that current law doesn’t always cover new technologies, such as the just-announced Apple Pay system. To mitigate that, Rogers suggested that any updates to the EFT Act should be “technology-neutral.”
The dynamic nature of the threat: A common analogy used throughout the day at the conference—first by Principal Financial Group’s Larry Zimpleman, FSR’s chairman of the board—is that the cyberattackers of today aren’t bored kids in the dorm anymore, but are more likely to be state-sponsored terrorist groups or part of an organized crime syndicate. And they’re getting better all the time.
What Associations can do
Wednesday’s summit touched on industry needs in fighting cybersecurity dangers on both the financial and retail fronts. Officials from RILA, the American Hotel & Lodging Association, Wal-Mart, MasterCard, and the FBI were among those who took the stage.
The formation of the Merchant Financial Cyber Partnership—in the wake of a bitter fight between the two sectors over credit- and debit-card interchange fees and amid debates over who will pay for necessary system upgrades—shows that the industry can collaborate on discussions over common concerns.
But even with pledges to take big steps to tackle data security collectively, there are still issues that could stop information-sharing efforts dead in their tracks.
“We need to get the liability taken care of between public and private collaborations,” said RILA Senior Vice President Suzie Squier, noting one sticking point.
Even though privacy advocates point to the potential dangers of the private sector collecting and sharing information, FSR’s CEO Tim Pawlenty, a former Minnesota governor and Republican presidential candidate, said the risks of doing nothing are much greater.
While critics are concerned about one form of privacy, Pawlenty told conference attendees, “personal privacy is being violated flagrantly every day” by cybercriminals.
Financial Services Roundtable CEO Tim Pawlenty speaks at the 2014 Merchant-Financial Services Cybersecurity Summit. (via FSR's Twitter page)