BreachExchange mailing list archives
Bankers say retailers passing the buck on data breaches
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 18 Feb 2015 05:28:55 -0700
http://gsabusiness.com/news/53741-bankers-say-retailers-passing-the-buck-on-data-breaches Bankers are asking Congress to approve national standards for data protection and consumer notification that extend their industry’s public accountability standards to retailers. Banks also contend they are getting hit with costs that should be paid by retail cyberattack victims. With state laws varying, President Barack Obama has said he supports a uniform national data breach notification standard that would require businesses to notify customers within 30 days. Cybersecurity legislation is also getting attention in Congress. In a Jan. 23 letter to members of Congress, the American Bankers Association joined with the Credit Union National Association and other financial industry groups in requesting expansion of their “robust” data protection and notification standards. The letter also said that “too often, banks and credit unions bear a disproportionate burden in covering the costs of breaches occurring beyond their premises. All parties must share in protecting consumers. Therefore, the cost of a data breach should ultimately be borne by the entity that incurs the breach.” Who’s the victim? The breaches include high-profile cases with major companies such as Home Depot, Target, Neiman Marcus and P.F. Chang’s China Bistro, but bankers say it’s banks that get stuck with costs of changing customer accounts and reimbursing customers for any fraud. Art Seaver, CEO at Southern First Bank, said “the Target breach cost our company probably at least $10,000.” He said that in cyberattacks “we are always going to do what is best for our clients,” issuing new cards or taking action to protect and reimburse a bank customer. “I sent a letter back to the CEO and CFO and head of public relations for Target, telling them this was my expense and I would appreciate a check,” Seaver said. He said Target’s executives in a response letter said Target was the victim and did not include any reimbursement. S.C. Bankers Association President and CEO Fred Green said his industry spends “hundreds of millions of dollars annually” to secure customer records. He said banks are held to a higher standard that requires quick notification to every customer potentially affected by a breach “if information is lost intentionally or unintentionally.” He said regulatory agencies inspect and audit banks’ customer data security systems. “What sometimes gets lost in all that is when there is a data breach at a retailer it affects the banks,” Green said. “The banking industry is the one that loses money, not the retailer.” He said there is “kind of a disconnect on that. In all the high-profile data breaches, the cost of those are borne by the banking industry.” Green said there is “no insurance” to reimburse banks for such losses. He said new “chip cards” that have been issued provide added protection in a retail transaction but most retailers “don’t have the machines to take advantage of that technology. The bank industry is pushing an acceleration in retailers investing in technology that would make chip cards a valuable tool to prevent fraud.” Green said he expects changes. “You would think there will be movement to get this passed along,” he said. “Every day there is a new risk.” Home Depot has said 56 million customer cards were affected by its breach. The Target breach affected about 40 million credit and debit cards. National Retail Federation spokesman Stephen Schatz Sr. said retailers pay fees to the card issuers on every transaction that should be used for cybersecurity and have been trying for decades to get card technology updated. He said the “retail industry of course suffers a huge financial loss due to fraud.” Schatz said the change to chip cards needs to also include requiring personal identification numbers when used. He said cards with the magnetic stripe and the signature for authentication are outdated and changing only to chip cards without requiring personal identification numbers is “just a half measure.” For every transaction that a retailer accepts, a percentage is sent to the card company to cover the cost of fraud, Schatz said. “There is in fact retail money in addressing and preventing retail fraud.” The federation website says a recent Verizon report shows that retailers account for just one in 10 data breach incidents, while financial institutions account for more than a third. Three buckets Kevin Bishop, a spokesman for Republican U.S. Sen. Lindsey Graham, said in an email that Graham has not taken a position on Senate bill 177, the Data Security and Breach Notification Act of 2015. Republican U.S. Tim Scott’s staff did not answer email messages seeking comment. Sam Erwin, chairman and CEO at The Palmetto Bank, said it’s difficult to quantify spending on cybersecurity. The company, with assets of $1.1 billion and 25 offices across nine counties in the Upstate, has 45,000 active debit cards and 100,000 accounts. Chief Information Officer Mark Terry said cybersecurity is more than a product with an identifiable system cost. He said the bank has a “culture” that protects customer data. “If you look at it there are three kinds of buckets as I see it,” Erwin said. “One is the cost of the actual loss or the fraud, so if Home Depot has a breach we confirm that the fraud came from that and it is legitimate fraud … We also invest in some monitoring services that help us monitor our client accounts to identify fraud early. Then thirdly we do offer add-on products or services for our clients that are now part of some of our accounts that allow them to better monitor their own credit. So if you add all that together it is a pretty substantial cost that is increasing as time goes on.” Terry said that among the retailer breaches, Home Depot had the most impact on the bank. Who foots the bill? Erwin said replacing a bank card costs the bank about $9, on average. “Every time there is a breach reported in the newspaper we can’t just mass reissue cards because that creates a lot of disruption for the clients, so we put in place additional fraud monitoring,” Erwin said. He said that if “there is some kind of suspicious transaction on it we’re reimbursing the client as well. So then you have those fraud losses also.” Erwin said The Palmetto Bank has not had any breaches “and nationally, according to the American Bankers Association, last year only 5.5% of all the breaches involved a bank. The vast majority of the breaches occur outside of the banking system at its inception. Once there is a breach and there is fraud involved and it hits someone’s checking account, assuming we can confirm that there has been fraud, then the bank bears that loss. So there is something in that system that needs fixing. The banking system is bearing a huge amount of this cost for breaches that are not of our making.” Erwin said the increasing costs eventually will “be borne by our clients.” “Fortunately our monitoring systems are very, very good,” he said. “So we catch them early. We see patterns early, and we are able to minimize those losses. But again, assuming that the fraud occurs and it is confirmed, that is the responsibility of the bank. That has become increasingly expensive for the banks.” Erwin said “there is a lot of talk about insurance, and we’ve been looking into that, but to this point there has been no insurance coverage for fraud losses. That may come in the future.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Bankers say retailers passing the buck on data breaches Audrey McNeil (Feb 24)