Spat escalates between retail, finance industries

The retail and financial sector are at odds again over who foots the bill following a data breach.

Major retail associations on Thursday attacked the credit union industry for waging a dishonest public campaign about the losses credit unions incur as a result of data breaches.


The retailers pointed to some internal documents at a major credit union trade group that didn’t mention data breaches as a possible source of financial losses in 2014 and 2015.

“Perhaps because the authors know that merchants pay most of those costs,” the retailers said in an open letter.

The omission doesn't dovetail with financial institutions' public statements, they argued.

“Seriously?” replied Jim Nussle, CEO of the Credit Union National Association (CUNA). The retailers’ conclusions are “a perverse and misguided interpretation” of the group’s internal documents, he added.

As data breaches — and the resulting fallout costs — have skyrocketed in 2014, industry groups have taken sides over who is responsible when customer data gets exposed.

Banks and credit unions insist they should be compensated for the costs of reimbursing fraudulent charges and reissuing credit and debit cards. Retailers argue they too are victims, and run up huge bills in the wake of a breach.

The argument has spilled into the courts. Major U.S. banks are suing Target, which lost 40 million customers’ payment card data as a result of a cyberattack.

“Data breaches at merchant locations have cost credit unions at least $90 million this year,” Nussle said. “In the case of the Target breach ... credit unions have yet to see any reimbursements from that retailer as a result of the violation.”

Retailers disagree. Studies show that following a data breach, costs are “borne almost equally among retailers and card-issuing institutions,” they argued in their memo. Many merchants also have agreements with card networks requiring retailers to compensate card holders for a certain percentage of any fraudulent charges.

Such statements are merely attempts “to help merchants dodge responsibility for the losses they cause when they fail to secure consumer’s private data,” Nussle said. “The leaps made in the document are, to us, a curious threat to any perception of reality.”

And so the battle continues.