If there was any question about the need for Congress to modernize our nations data-security laws, the recent settlement negotiation between Target and MasterCard should put all doubts to rest.
Target agreed to reimburse affected MasterCard-issuing banks roughly $19 million following the retailers massive 2013 data breach, which incurred significant costs for thousands of community banks.
MasterCard issuers had to choose whether to accept pennies on the dollar for the costs of reissuing cards compromised by the retailers breach or to continue the costly and risky road of litigation. As of May 22, fewer than 90% of the qualified accounts had opted into the settlement, so the settlement has not become effective, according to a statement from Target.
Neither the settlement nor litigation is particularly desirable. And it follows a bit of a Catch-22 for those community banks that had to respond to the Target breach in the first place. Reissuing compromised cards incurs not just an expense, but also the wrath of customers who feel inconvenienced and blame their banks for retailer breaches. But choosing not to reissue compromised cards, which would put customers and issuing banks at considerable risk, is simply not an option.
Talk about being caught between the devil and the deep blue sea. Community banks had to reissue nearly 7.5 million credit and debit cards at a total reissuance cost of more than $90 million as a result of last years Home Depot data breach, according to Independent Community Bankers of America data.. That follows a reissuance of more than four million payment cards at a cost of more than $40 million after the data breaches at Target and Neiman Marcus less than a year before. Thats a total of 11.5 million debit and credit cards, costing more than $130 million.
So how can we keep credit- and debit-card issuers and their customers from paying the price for data breaches at retailers? The court system certainly hasnt gotten us very far. The legal battle between these retail and payments behemoths has left affected community banks as collateral damage. What really has to change is the law itself, which is why Congress must finish the job of reforming our data-security system.
To effectively protect against the threat of data breaches, Congress must ensure all participants in the payments systemincluding retailersare required to play by the same set of rules. Under current law, merchants are not subject to the same federal data security standards and oversight as financial institutions, which are required to meet a host of regulations laid out in the Gramm-Leach-Bliley Act.
Further, policymakers should ensure that the costs of data breaches are borne by the breached parties. Requiring breached parties to shoulder the cost would align incentives to maximize data security by all parties that store consumer data, making the payments system stronger over time.
The security of our payments system is only as strong as its weakest link. Securing financial data at financial institutions is of limited value if it remains exposed elsewhere. Thats why applying consistent standards to all participants and requiring everyone in the system to take responsibility for the breaches they incur is crucial to truly protecting our most sensitive information.
Camden R. Fine is president and chief executive of the Independent Community Bankers of America. Follow him on Twitter @Cam_Fine.