Retailers Push Back on Proposed Banking Legislation Following Massive Data Security Breaches

Retailers including Target and Neiman Marcus made the rounds on Capitol Hill this week, testifying at three days’ worth of hearings with the dual mission of apologizing for recent large-scale data breaches and discouraging any new regulatory legislation.

But while Republicans would likely try to block any new laws, the retail industry may have lost another key ally: some representatives from the financial sector who now say they would have no problem with new regulatory proposals.

The recent breaches have exposed a rift between retailers and banks that has been looming for years.

While the banks say that lax data protection on the part of retailers puts consumers at risk, retail groups say the greatest threat comes from the fact that the U.S. financial sector hasn’t adopted the more secure bank card system that Western European nations began implementing a decade ago.

According to retailers, breaches would occur less often and have less impact if U.S. banks replaced current payment cards, which store data on magnetic strips and use customers’ signatures for verification, with cards that store data on embedded microchips and use personal identification numbers for verification. If those chip-and-PIN cards were in place, it “would have rendered the account numbers that were taken far less useful” in the Neiman Marcus breach, Chief Information Officer Michael Kingston told lawmakers Tuesday.

U.S. banks agree that a shift in card standards would improve security, but note that it would cost billions of dollars, both for them and for retailers that would have to replace card readers. They would prefer cards that have embedded microchips but continue to use signature verification.

Data security has increasingly become a concern for Congress, not only because of the recent breaches — which affected as many as 70 million customers at Target alone — but also because of other high-profile cases at companies including Sony, TJX Corp. and Coca-Cola. The nonprofit Privacy Rights Clearinghouse calculates that over the past nine years, businesses including financial institutions and retail outlets have reported 1,571 breaches involving 470 million customer financial records.

‘On Top of It’

Prior to his Monday appearance before the Senate Banking Subcommittee on National Security and International Trade and Finance, Troy Leach, chief technology officer for the PCI Security Standards Council, a payment card industry group, said the challenge for the private sector this week was to “show that industry’s on top of it.”

Actually convincing members of that might be difficult, though. While lawmakers from both sides of the aisle said they didn’t want to single out particular retailers for criticism, several influential Democrats said they want legislative action on this long-standing issue.

“We are facing threats to our privacy and security unlike any time before in our nation’s history,” Senate Judiciary Chairman Patrick J. Leahy, D-Vt., said during his panel’s Tuesday hearing. “So I hope in this particular one we can get some good bipartisan support, responding to it, and get some data privacy legislation out here.”

So far, data privacy legislative proposals have covered two areas: requiring the disclosure of data breaches — a bill from Leahy (S 1897) would impose criminal penalties on violators — and providing the Federal Trade Commission with the authority to require companies to develop and maintain data security and impose civil penalties when problems arise.

Of the two, the data breach notification bill has more traction, although industry opposes the notion of federal penalties. Already, 47 states have passed laws that require some level of notification.

But giving the FTC the power to regulate security is something retailers and others in the private sector oppose. This week, that opposition fell back on a notion frequently employed by the U.S. Chamber of Commerce and other industry groups during cybersecurity discussions. The government, they say, is simply too slow and cumbersome to keep up with the fast pace of technology.

“I think the thing that we have to keep in mind is that the threat landscape, the cybersecurity threat landscape, continues to evolve every day. It becomes more and more complicated,” Kingston told Leahy’s committee. “And so, as soon as we establish the standard ... the whole world knows about it, and that gives them the ability to try to defeat those standards.”

The argument is one that Republicans have used to kill past proposals to provide the government with cybersecurity regulatory powers.

Sen. Mike Lee, R-Utah, expressed concern this week about “creating a new federal regulatory authority, in part because sometimes once you establish something like that, it quickly becomes ineffective, especially if it’s in an area like this one, where technological advances can very quickly render a codified national security standard irrelevant or outdated.” Other GOP members said the government’s reaction to the recent breaches should be to increase criminal penalties against the hackers who perpetrate attacks. Sen. Mark S. Kirk, R-Ill., said he plans to introduce legislation to that effect.

But the FTC, which is openly calling for new authority, has said government regulation shouldn’t dictate specific technology standards. Instead, the agency says it should be able to require that companies have processes in place for developing appropriate data security. Jessica Rich, head of the FTC’s Bureau of Consumer Protection, told lawmakers Monday that the agency has a model for such authority, in a 1999 financial services modernization law (PL 106-102).

“You have to put somebody in charge, your chief technology officer,” Rich said. “You have to do a formal risk assessment. You have to then implement safeguards in key areas of risk, such as employee training, network and physical security, service providers, etc.”

Banking Shift

While retailers don’t like the idea of new standards, James Reuter, executive vice president of FirstBank, told the Senate Banking subcommittee that payment card servicers wouldn’t mind them. Banks already have to comply with data security requirements under the 1999 law Rich referenced, he noted.

“So, as an industry, that’s why we are not opposed to setting standards,” said Reuter, who appeared on behalf of the American Bankers Association. “We are already obligated to follow standards today.”

Not everyone in the payment card sector agrees, though. Leach, who appeared at the same hearing as Reuter, said in an interview that Congress should avoid a knee-jerk reaction to have the government to create standards, as “there’s no way they can react to it as fast as industry.”

Retailers have also argued that the benefits of U.S. banks switching to chip-and-PIN cards would be greater than any improvements that could result from stronger regulation. That distinction, however, might not mean much to lawmakers. Some Democrats would like to see both a shift in card technology and greater powers for the FTC, and other lawmakers say they’re less interested in squabbling among the industries than in the development of solutions.

“We don’t need another long-term fight between the bankers, the retailers and the card industry,” said Mark Warner, D-Va., chairman of the Senate Banking Subcommittee on National Security and International Trade and Finance on Monday.