Banks: Lack of retail regs raises risk of hacking

The finger-pointing over cybersecurity between retailers and financial institutions heated up Wednesday, with banks and credit unions pushing for more oversight of the retail industry to help protect consumers.

In a scathing joint letter sent to Senate and House leadership, the top banking and credit union trade groups noted that their industries have had "significant regulatory requirements and internal safeguards" since 1999 because of the Gramm-Leach-Bliley Act (GLB).

"Retailers are being targeted by cyber criminals," the groups wrote. "Retailers are not covered by any Federal laws or regulations that require them to protect the data and notify consumers when it is breached."

ADVERTISEMENT
The letter was signed by the American Bankers Association, The Clearing House, Consumer Bankers Association, Credit Union National Association, Financial Services Roundtable (FSR), Independent Community Bankers of America, the Electronic Transaction Association and the National Association of Federal Credit Unions.

The letter comes as tensions between the retailer and banking industries have flared following a political detente of sorts earlier this year.

FSR and the Retail Industry Leaders Association (RILA) created a private-public partnership in March that encourages businesses and banks to share threat information to prevent attacks.

It comes following recent high-profile data breaches at Target, Home Depot, Neiman Marcus and JPMorgan Chase.

After a breach, banks and retailers often engage in high-profile and very public blame games. At stake is which entity will have to pick up the tab for replacing the breached notification cards — which can cost tens of millions of dollars.

In part because of GLB regulations, banks and credit unions often front the costs. Retailers argue that they end up having to pay once the cases go through the judicial process.

Banks, retailers and credit unions nearly all agree that there should be some sort of national consumer notification legislation that would require Americans who have had their information breached to be notified.

But banks and credit unions say that breach notification legislation alone "will not solve this problem."

"It is only when coupled with the development of strong internal data protection standards and robust oversight that the retail community will find itself in a better position to protect consumers and their confidential personal financial information from criminal abuse," the groups wrote.