Bankers say retailers passing the buck on data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://gsabusiness.com/news/53741-bankers-say-retailers-passing-the-buck-on-data-breaches

Bankers are asking Congress to approve national standards for data
protection and consumer notification that extend their industry’s public
accountability standards to retailers. Banks also contend they are getting
hit with costs that should be paid by retail cyberattack victims.

With state laws varying, President Barack Obama has said he supports a
uniform national data breach notification standard that would require
businesses to notify customers within 30 days. Cybersecurity legislation is
also getting attention in Congress.

In a Jan. 23 letter to members of Congress, the American Bankers
Association joined with the Credit Union National Association and other
financial industry groups in requesting expansion of their “robust” data
protection and notification standards.

The letter also said that “too often, banks and credit unions bear a
disproportionate burden in covering the costs of breaches occurring beyond
their premises. All parties must share in protecting consumers. Therefore,
the cost of a data breach should ultimately be borne by the entity that
incurs the breach.”

Who’s the victim?

The breaches include high-profile cases with major companies such as Home
Depot, Target, Neiman Marcus and P.F. Chang’s China Bistro, but bankers say
it’s banks that get stuck with costs of changing customer accounts and
reimbursing customers for any fraud.

Art Seaver, CEO at Southern First Bank, said “the Target breach cost our
company probably at least $10,000.” He said that in cyberattacks “we are
always going to do what is best for our clients,” issuing new cards or
taking action to protect and reimburse a bank customer.

“I sent a letter back to the CEO and CFO and head of public relations for
Target, telling them this was my expense and I would appreciate a check,”
Seaver said. He said Target’s executives in a response letter said Target
was the victim and did not include any reimbursement.

S.C. Bankers Association President and CEO Fred Green said his industry
spends “hundreds of millions of dollars annually” to secure customer
records.

He said banks are held to a higher standard that requires quick
notification to every customer potentially affected by a breach “if
information is lost intentionally or unintentionally.” He said regulatory
agencies inspect and audit banks’ customer data security systems.

“What sometimes gets lost in all that is when there is a data breach at a
retailer it affects the banks,” Green said. “The banking industry is the
one that loses money, not the retailer.” He said there is “kind of a
disconnect on that. In all the high-profile data breaches, the cost of
those are borne by the banking industry.”

Green said there is “no insurance” to reimburse banks for such losses. He
said new “chip cards” that have been issued provide added protection in a
retail transaction but most retailers “don’t have the machines to take
advantage of that technology. The bank industry is pushing an acceleration
in retailers investing in technology that would make chip cards a valuable
tool to prevent fraud.”

Green said he expects changes.

“You would think there will be movement to get this passed along,” he said.
“Every day there is a new risk.”

Home Depot has said 56 million customer cards were affected by its breach.
The Target breach affected about 40 million credit and debit cards.

National Retail Federation spokesman Stephen Schatz Sr. said retailers pay
fees to the card issuers on every transaction that should be used for
cybersecurity and have been trying for decades to get card technology
updated. He said the “retail industry of course suffers a huge financial
loss due to fraud.” Schatz said the change to chip cards needs to also
include requiring personal identification numbers when used.

He said cards with the magnetic stripe and the signature for authentication
are outdated and changing only to chip cards without requiring personal
identification numbers is “just a half measure.”

For every transaction that a retailer accepts, a percentage is sent to the
card company to cover the cost of fraud, Schatz said. “There is in fact
retail money in addressing and preventing retail fraud.”

The federation website says a recent Verizon report shows that retailers
account for just one in 10 data breach incidents, while financial
institutions account for more than a third.

Three buckets

Kevin Bishop, a spokesman for Republican U.S. Sen. Lindsey Graham, said in
an email that Graham has not taken a position on Senate bill 177, the Data
Security and Breach Notification Act of 2015. Republican U.S. Tim Scott’s
staff did not answer email messages seeking comment.

Sam Erwin, chairman and CEO at The Palmetto Bank, said it’s difficult to
quantify spending on cybersecurity. The company, with assets of $1.1
billion and 25 offices across nine counties in the Upstate, has 45,000
active debit cards and 100,000 accounts. Chief Information Officer Mark
Terry said cybersecurity is more than a product with an identifiable system
cost. He said the bank has a “culture” that protects customer data.

“If you look at it there are three kinds of buckets as I see it,” Erwin
said. “One is the cost of the actual loss or the fraud, so if Home Depot
has a breach we confirm that the fraud came from that and it is legitimate
fraud … We also invest in some monitoring services that help us monitor our
client accounts to identify fraud early. Then thirdly we do offer add-on
products or services for our clients that are now part of some of our
accounts that allow them to better monitor their own credit. So if you add
all that together it is a pretty substantial cost that is increasing as
time goes on.”

Terry said that among the retailer breaches, Home Depot had the most impact
on the bank.

Who foots the bill?

Erwin said replacing a bank card costs the bank about $9, on average.

“Every time there is a breach reported in the newspaper we can’t just mass
reissue cards because that creates a lot of disruption for the clients, so
we put in place additional fraud monitoring,” Erwin said.

He said that if “there is some kind of suspicious transaction on it we’re
reimbursing the client as well. So then you have those fraud losses also.”

Erwin said The Palmetto Bank has not had any breaches “and nationally,
according to the American Bankers Association, last year only 5.5% of all
the breaches involved a bank. The vast majority of the breaches occur
outside of the banking system at its inception. Once there is a breach and
there is fraud involved and it hits someone’s checking account, assuming we
can confirm that there has been fraud, then the bank bears that loss. So
there is something in that system that needs fixing. The banking system is
bearing a huge amount of this cost for breaches that are not of our making.”

Erwin said the increasing costs eventually will “be borne by our clients.”

“Fortunately our monitoring systems are very, very good,” he said. “So we
catch them early. We see patterns early, and we are able to minimize those
losses. But again, assuming that the fraud occurs and it is confirmed, that
is the responsibility of the bank. That has become increasingly expensive
for the banks.”

Erwin said “there is a lot of talk about insurance, and we’ve been looking
into that, but to this point there has been no insurance coverage for fraud
losses. That may come in the future.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!