It is hard to believe that more than a year has gone by since Target disclosed a massive data breach and harder still to accept that consumers face a new holiday shopping season without the benefit of national standards on data security and breach notification safeguards for retailers.
This inertia is especially disconcerting given the continuing rash of retail data breaches that consumers have had to endure since the Target hack, including breaches at Home Depot, Michaels, Sally Beauty Supply, Neiman Marcus, AOL, eBay, P.F. Chang's Chinese Bistro, Supervalu, Dairy Queen, Jimmy Johns, Kmart, Staples and Bebe Stores. More than 679 breaches have occurred in 2014 thus far, according to the Identity Theft Resource Center. That's already a 25% increase from last year and the year is not over yet.
Clearly, consumers' data remains extremely vulnerable to cybercriminals who often target the weakest links in data protection: retailers. Unfortunately, consumers and their financial institutions are paying the price. The Target data breach alone will cause financial institutions to lose nearly $500 million in card replacement costs and other expenses, according to estimates by the National Association of Federal Credit Unions. U.S. District Judge Paul Magnuson ruled in December that financial institutions claiming to have spent millions of dollars replacing their customers' compromised credit and debit cards may proceed with a negligence class action against Target.
Unlike retailers, financial institutions maintain rigorous internal protections to ward off criminal attacks. They are required by federal law specifically, the Gramm-Leach-Bliley Act and by regulation to protect this information and to notify consumers when a breach occurs that may put them at risk.By contrast, retailers are not subject to any federal laws or regulations on consumer financial data protection and breach notification.
This disparity in data security standards is both irrational and hazardous for our economy. No amount of diligence on the part of financial institutions will help prevent future data breaches if retailers are not held responsible by national data security standards like the ones applied to financial institutions under Gramm-Leach-Bliley.
It's clear that retailers' investment in cybersecurity is disproportionate to that of financial institutions. Financial services companies will increase spending on cybersecurity by $2 billion over the next two years, according to a PricewaterhouseCoopers study. In fact, the study finds that U.S. banks and financial firms already spend as much as $2,500 per employee on cybersecurity, whereas retail and consumer companies spend $400 per employee.
While retailers continue to resist responsibility for breach costs or federal supervision, they continue to push for the adoption of chip-and-PIN technology. Many financial institutions are already moving toward this goal ahead of the October 2015 deadline for implementation of the technology.
Although chip-and-PIN technology is an important security measure, it is not a panacea. The improved technology can help reduce fraud and strengthen data security. But for consumers to be more reasonably protected, advances in technology must be implemented in conjunction with merchants' compliance with federal standards for the safekeeping of financial data, cost liabilities, and breach notification in the event of an attack.
NAFCU continues to push for legislative action on national data security and breach notification standards for retailers on Capitol Hill. We have also hailed the introduction of Data Security Act of 2014, by Sens. Tom Carper and Roy Blunt, which would expand breach notification requirements to all U.S. businesses without imposing new requirements on financial institutions. We have also urged Congress to create a bipartisan, bicameral working group to develop legislative responses to retailer data security breaches.
Ultimately, Congress needs to take action to end the raid on American consumers' financial and personal information. This goal has a better chance of being realized if retailers are subject to the same national data security standards that apply to financial institutions. Until we close the loop on cybercriminals, it will be open season on American consumers and on our nation's economy.
B. Dan Berger is president and chief executive of the National Association of Federal Credit Unions.