Fight Over Data Breach Management Heats Up Between Banking, Retail Groups
While Congress has remained mum on potential data security legislation, the back-and-forth between retailers and bankers continues. Last week, the two industries were at odds over a banking group survey citing “exorbitant costs” of credit card data breaches.
If you think soap opera relationships are complicated, take a crack at following how the retail and banking industries are getting along these days.
The relationship runs hot and cold, with examples of both conflict and cooperation on the critical question of how credit card data breaches should be handled—from who foots the bill when breaches occur to what measures should be put in place to prevent them.
In the latest development last week, retail trade groups fired back against what they called a misleading survey released by the Independent Community Bankers of America, which alleged that banks are being forced to “absorb exorbitant costs” because of data breaches suffered by retailers. In a statement on the survey, ICBA said that after the Home Depot data breach last year, community banks had to reissue some 7.5 million credit and debit cards at a cost of around $90 million.
“We continue to advocate that the costs associated with data breaches be borne by the party that experiences the breach,” ICBA Chairman John Buhrmaster said in the statement. “Communities and customers should not suffer for the faults of retailers.”
In a letter to ICBA President and CEO Camden Fine, several retail trade groups—including the Retail Industry Leaders Association (RILA), National Retail Federation, and National Restaurant Association—said the ICBA statement contained many “inaccuracies and misrepresentations.”
“ICBA cannot simply dismiss data breaches as a retail problem and refuse to recognize the risk to financial institutions—to do so would be a disservice to your members,” the retail groups said in the letter.
Citing a 2013 Federal Reserve study on debit card fraud, they noted that retailers bear an equal or greater cost of recovery after a data breach.
Finding Common Ground
It’s not all doom and gloom between banks and retailers, though. The two sides have come together on multiple occasions. Last year, they formed a coalition aimed at tackling cybersecurity issues. In November, that coalition sent a letter to Congress asking lawmakers to pass uniform data-breach notification legislation. And just last month the coalition outlined eight steps that the two industries can take to strengthen the security of the payments system.
Members of the coalition, which includes 250 senior executives from both industries, have met nearly 50 times, called on dozens of experts, reached a consensus on major policy issues, and participated in the 2014 Merchant-Financial Services Cybersecurity Summit.
“This partnership has been invaluable in ensuring the entire payments system, and key stakeholders are working together to combat cyber attacks,” said Sandy Kennedy, cochair of the partnership and president of RILA. “It is imperative that our two industries continue to learn from each other in this fight and work together in order to maintain the trust of our customers and collaboratively improve overall security.”