As banking lobbyists stick mainly to the sidelines, credit union groups are pushing state legislatures to enact laws holding merchants accountable when they fail to protect consumers’ data.
Bankers cite two reasons for avoiding the front lines: the fear of riling their merchant customers and a general aversion to government interference in markets.
“We think the marketplace itself will start to take care of these problems, and we don’t always need the legislature to act,” said Sharon Presnall, senior vice president of government relations at the Iowa Bankers Association.
Mike Semmann, director of government relations at the Wisconsin Bankers Association, said his group is “trying to maintain a balance between the needs of the banks’ customers, and a real need to provide more data security.”
Eleven states have taken up the issue since January of last year, when TJX Cos. Inc. of Framingham, Mass., announced the largest data breach in U.S. history. The owner of the TJ Maxx stores, among other chains, said its payment systems had been compromised as early as July 2005; as many as 94 million cards were exposed. (In December TJX settled a lawsuit brought by financial institutions.)
So far this year retail associations have been able to block bills in Wisconsin, Alabama, and Washington state; they stopped bills in Texas, Connecticut, and Massachusetts in 2007.
But legislation is still pending in California, Maryland, Michigan, and Iowa.
Minnesota was the first state to pass a law, adopting the Plastic Card Security Act in May 2007. Merchants doing business in the state must comply with the Payment Card Industry data security standards, and any that do not, and experience a breach after August 2008, will be forced to cover banks’ fraud losses and related costs such as notifying cardholders of the risk, opening and closing accounts, and reissuing cards.
Bankers are balancing their desire to get reimbursed for the losses against angering merchants — many community banks’ bread-and-butter customers.
Privately, bankers say they want more states to adopt laws like Minnesota’s, which puts the onus on merchants for data breaches if they had lax security. But many fear retail groups would retaliate by pressing statehouses to limit card interchange fees. (Such a bill was introduced in Congress last week by House Judiciary Committee Chairman John Conyers, D-Mich.)
So credit unions, which mainly serve individuals, have been leading the charge to hold merchants liable if they do not comply with standards that require such things as data encryption.
“If they fail to safeguard data, then they should bear some of the costs because of that failure,” said Chris Johnson, vice president of state governmental affairs at the Credit Union National Association. The question is back for a second look in California, where Gov. Arnold Schwarzenegger, a Republican, vetoed a merchant liability bill last year, saying it would drive up compliance costs for small businesses.
But the California Credit Union League is working with an unnamed state legislator on a revised bill to address the governor’s concerns.
Keri Bailey, a lobbyist with the league, would not discuss the new bill in detail but said one provision being discussed would narrow the scope of the reimbursement for costs associated with “little breaches versus big breaches.”
The California Bankers Association joined a number of retail associations in opposing the bill that passed the state Legislature last year. Among other things, the groups said “government intervention” was unnecessary, because merchants already have to comply with PCI standards under contracts with credit card companies.
CBA spokeswoman Anissa Routon said the group would not comment on the revised bill until it is officially introduced. That is expected to occur in the next few weeks.
The dynamics seem similar in Maryland, where Assemblyman Saqib Ali, a Democrat, introduced a merchant liability bill in January on behalf of the Maryland and D.C. Credit Union Association.
The Maryland Bankers Association opposes the bill. “Retailers are our customers, and we’re very concerned that if there were a breach, that requirement could put one of our customers out of business,” said Kathleen M. Murphy, its chief executive officer. “We believe we’ve got adequate recourse today to pursue the cost of replacement in the event that it gets to that magnitude.”
The Maryland General Assembly’s 2008 session ends April 9.
In Michigan, bankers and credit union officials are working more closely. A merchant liability bill introduced in January by Sen. Randy Richardville, a Republican, has a “high likelihood of passing” before the legislature adjourns Dec. 31, according to David Adams, the CEO of the Michigan Credit Union League.
The Michigan Bankers Association supports the measure but has some technical concerns over the data encryption that would be required of retailers, spokeswoman Gail Madziar said.
“But we’re working with the legislators and a workshop group” made up of representatives from the various trade groups to come up with language “that ultimately would work for the consumers and the industry groups as well,” Ms. Madziar said.
Lawmakers in Iowa have until April 22 to finish their work, and last week they struck a merchant liability provision from a broader bill by Steve Warnstadt, a Democrat, that would require merchants to notify customers when a data breach first occurs. The Iowa Bankers Association supports the customer notification requirement but had opposed the merchant liability provision, Ms. Presnall said.
Justin Hupfer, vice president of governmental affairs at the Iowa Credit Union League, said his group is willing to table its merchant liability bill to give merchants a chance to beef up security standards voluntarily.
“We certainly hope merchants will do their best to comply with PCI rules, but if they don’t, down the road we’ll try to continue our discussion on codification of these standards,” Mr. Hupfer said.
In Wisconsin, after Senate approval, the Assembly on Tuesday failed to take up either of two bills, one sponsored by Republican Brett Davis and the other by Democrat Bob Wirch. The Legislature adjourned for the year on Thursday.
Brandon Scholz, the CEO of the Wisconsin Grocers Association, said financial institutions were trying to “shift their financial responsibility to retailers.”
“Retailers pay very high interchange fees, and part of that is to pay for the reissuance of cards and fraud losses in data breaches,” Mr. Scholz said. If the bills had passed, he said, financial institutions “would be double-dipping.”
Thomas Liebe, vice president of government affairs at the Wisconsin Credit Union League, said the authors of this year’s bills plan to work with retail and banking groups to draft legislation for the 2009 session that would address some of their concerns.
“Everything is on the table — that’s the only way you can go about consensus-building,” Mr. Liebe said.
Mr. Scholz said the law should not allow financial institutions to sue merchants. Instead, a new bill ought to empower a state agency, such as the Wisconsin Department of Financial Institutions, to charge negligent merchants a set penalty, he said.
Mara Humphrey, vice president of governmental affairs for the Minnesota Credit Union Network, said the Minnesota law could extend to merchants based in other states. The law applies to any merchant doing business in Minnesota — even if it has just one store with a point of sale terminal, she said. Out-of-state financial institutions issuing cards to customers affected by such a breach could still sue the retailer under the Minnesota law.
“Our intention was to make the language broad enough so that anyone who does business here would be impacted by this law,” Ms. Humphrey said.
