CBA Calls for Increased Consumer Protections in Response to Retailer Breaches

February 4, 2014

Retailers Must Take Responsibility for their Costs

Washington, D.C. (February 4, 2014) – The Consumer Bankers Association (CBA) is responding to the recent data breaches at retailers by calling for increased protections for consumers and greater responsibility on the part of retailers. CBA joined fellow financial services trade associations in writing to several House and Senate committees holding hearings on this issue. (1) (2) (3)

“Our payments system is made up of a wide variety of players: financial institutions, card networks, retailers, processors, and new entrants. Protecting this eco-system is a shared responsibility of all parties involved and all must invest the necessary resources to combat increasingly sophisticated breach threats to the payments system,” wrote the joint trades.

The joint trades’ letter outlined several recommendations for policymakers to help strengthen the payments system and better protect consumers in the event of a breach:

  1. Establish a national data security breach and notification standard. We believe that legislation should be enacted to better protect consumers by replacing the current patchwork of state laws with a national standard for data protection and notice. A good example of this is the Data Security Act of 2014 (S. 1927) introduced by Senators Tom Carper (D-DE) and Roy Blunt (R-MO).
  2. Make those responsible for data breaches responsible for their costs. Financial institutions bear the brunt of fraud costs. An entity that is responsible for a breach that compromises sensitive customer information should be responsible for the costs associated with that breach to the extent the entity has not met necessary security requirements.
  3. Better Sharing of Threat Information. Unnecessary legal and other barriers to effective threat information sharing between law enforcement and the financial and retail sectors should be removed through private sector efforts and enactment of legislation. For example, one such private sector effort is the expansion of membership in the Financial Services Information Sharing and Analysis Center to include the merchant community. No one organization or sector alone can meet the challenges of sophisticated cyber-crime syndicates, so robust communities of trust and collective protection must constantly be developed.

“Threats to data security are ever changing and unpredictable. Therefore, policymakers should not mandate or embrace any one solution or technology, such as EMV, as the answer to all concerns. As the threat evolves, so too must coordinated efforts to combat fraud and data theft that harm consumers. To address the emerging risks posed by mobile payments, for example, industry-driven solutions, such as the TCH Secure Cloud, are already underway employing ‘tokenization’ technology,” added the trades.

The letters were signed by: the American Bankers Association, the Clearing House, the Consumer Bankers Association, the Credit Union National Association, the Financial Services Information Sharing and Analysis Center, the Financial Services Roundtable, the Independent Community Bankers of America and the National Association of Federal Credit Unions.

About CBA

The Consumer Bankers Association (CBA) is the trade association for today's leaders in retail banking - banking services geared toward consumers and small businesses. The nation's largest financial institutions, as well as many regional banks, are CBA corporate members, collectively holding two-thirds of the industry's total assets. CBA’s mission is to preserve and promote the retail banking industry as it strives to fulfill the financial needs of the American consumer and small business.