Congress has begun the process of advancing legislation to address risks to cyber and data security following high-profile breaches at Target, Home Depot and Sony Pictures. The Senate Intelligence Committee this month released its bill to increase information sharing between the public and private sectors, and the panel’s House counterpart followed suit last week with its own version.
So far, the debate has focused on expanding legal liability protections to companies so they can more easily share cyber-threat information with other private-sector companies and the federal government. Encouraging two-way communication is certainly an important part of shoring up our nation’s cyber defenses. The public and private sectors must be willing and able to share advanced threat and attack data in a timely manner and among financial institutions of all sizes.
Information sharing is essential to reducing cyber risks, but lawmakers cannot stop there if they hope to improve the nation’s cyber defenses and data protections. Capitol Hill must also address our nation’s lopsided system of security standards for payments system participants and implement a national data breach notification standard to replace the current patchwork of state laws.
Banks, including community banks, already comply with a bevy of mandates under existing federal and state laws, regulations, and guidance. Community banks and others in the financial sector are on the front lines of defense against cyber threats. Protecting the confidentiality and integrity of consumer data and mitigating the risks of hacking and cyber fraud are simply part of our business.
To effectively guard against cyber threats and data breaches, Congress must ensure all participants in the payments system, including merchants, are required to play by the same rules and regulations. Under current law, retailers and other parties that process or store consumer financial data are not subject to the same federal data security standards and oversight as financial institutions, which are laid out in the Gramm-Leach-Bliley Act. Securing financial data at financial institutions is of limited value if it is exposed elsewhere. Applying consistent standards to all system participants is crucial to protecting the sensitive information transmitted through our payments system.
Further, policymakers should ensure that the costs of data breaches are borne by breached parties. Community banks had to reissue nearly 7.5 million credit and debit cards at a total reissuance cost of more than $90 million as a result of last year’s Home Depot data breach, according to ICBA data. That follows a reissuance of more than 4 million payment cards at a cost of more than $40 million due to the data breaches at Target and Neiman Marcus less than a year before.
While the lightly regulated retail sector wields considerable power in Washington, that doesn’t mean it should be off the hook for the breaches it incurs. Requiring the costs of data breaches to be borne by the party that experiences the breach would align incentives to maximize data security by all parties that store consumer data, making the payments system stronger over time.
Washington has begun to respond to the pervasive threat of cyber crime that plagues the public and private sectors. But it must go further to improve data and cyber security policies to truly fortify our nation’s cyber infrastructure and the consumers who use it at banks and merchants alike.
Camden R. Fine is president and CEO of the Independent Community Bankers of America.