Now You See Them, Now You Don’t: Banks’ Misdirection on Data Breaches | Commentary

Posted December 9, 2014 at 2:31pm

A staple of the illusionist’s trade is “misdirection” — distracting the audience with the movements of one hand while using the other hand to make an object “magically” disappear.

Apparently, big banks have been studying prestidigitation when it comes to credit card data breaches.

The banks’ strategy has been to call for data breach regulations on merchants, while making their own responsibility for card data disappear. Although there are approximately 1,000 times as many retailers as banks in the U.S., banks experienced nearly three times as many breaches involving data losses last year.

When merchants are breached, the criminals want payment card information, but it is the banks and credit card companies that not only create this data but also dictate how it is to be protected by everyone involved, including merchants. And they have never prioritized security.

Numbers are still embossed in huge characters on the front of cards, even though knuckle-buster machines and carbon copies are obsolete. Actual account numbers are still used, even though technology to encrypt them or substitute other data has existed for some time. Even though encryption requirements are imposed on merchants, banks are still not required to accept encrypted data. And while Europe has combined the use of computer chips and personal identification numbers for 20 years, the banks’ and card companies’ much ballyhooed plans to put chips in place here doesn’t involve PINs — which doesn’t have the same benefits.

In short, the banks and card companies have made merchants the target of data thieves by imposing a fraud-prone card system, then worked to convince everyone that breaches result from merchants’ failure to protect data, hoping no one will notice the real source of the problem.

But the banks’ misdirection doesn’t end there. Pointing to the Gramm Leach Bliley Act (GBLA), they sing the praises of their own data standards while neglecting to mention they suffer more breaches than merchants — and that GLBA regulations do not require them to notify consumers when the banks have a breach. The regulations just say banks should investigate and, if they think consumers face risks, the banks should notify them.

Little wonder then that banks cite sources that use news reports to count breaches. That way, the banks can try to claim they don’t have many. In October, to take one specific example, we learned that JP Morgan Chase had suffered the largest data breach in history only because the firm quietly included the figures in a standard report to the Securities and Exchange Commission. But, as The New York Times reported, nine other financial firms were hit by related data thefts. Who were they? Darned if the Times could find out.

Later, Bloomberg reported the real number of victimized firms was 12, in addition to JP Morgan — and it managed to glean a handful of the names from company insiders. But because of the banks’ data-disappearing act, the public still doesn’t know who was hit or how badly, and likely never will.

Banks are only too happy to prey upon the public’s lack of knowledge and sell data breaches as a merchant problem. But being able to fool people doesn’t make it right. It is one thing for a magician, whom we pay to entertain us, to slide a playing card up his sleeve and claim he’s made it disappear. But banks can’t make their cards vulnerable to fraud and expect the public to stand by while their money disappears as financial firms play three-card Monte with their own culpability. And letting them get away with it is standing in the way of real, comprehensive solutions.

If America ever wants to make real progress in combating fraud and protecting consumer’s data, it’s time for the banks to stop the sleight-of-hand and admit that any policy solution must cover everyone, including themselves.

Doug Kantor is legislative counsel for the National Association of Convenience Stores.