BankThink

Retailers Should Be Held to Stricter Standards on Data Security

The lazy, hazy days of summer appear to have no effect on cybercriminals. If anything, they seem to be emboldened to conduct more attacks. The continued absence of national data security standards for retailers has given cybercriminals free rein to access consumer data, and Americans and their financial institutions are paying the price.

The recent massive malware attack called Backoff affected an estimated 1,000 businesses, according to an alert issued on Aug. 22 by the Department of Homeland Security and U.S. Secret Service. The malware attacks’ remote desktop applications that are used by point-of-sale systems allow cyber thieves to acquire consumers’ credit card numbers and other personal information.

That's far from the only cyberattack this August. United Parcel Service on Aug. 20 confirmed a data security breach that had apparently gone undetected since January, ultimately impacting over 100,000 consumer transactions at 51 UPS franchises. And grocery chain owner Supervalu Inc. on Aug. 14 alerted its customers to a potential data breach on its point-of-sale network sometime between June 22 and July 17, affecting 180 stores.

Since most of the major data breaches have been engineered through malware, chip-and-pin technology alone would not have prevented them. In order to make customer transactions safer, Congress should hold retailers and any other businessesresponsible for the storage of consumer data subject to standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act. Under Gramm-Leach-Bliley, credit unions and other financial institutions are required to meet certain criteria for safekeeping consumers' personal information.

In order to relieve financial institutions saddled with the costs of replacing compromised credit cards through no fault of their own, Congress should require merchants to pay for the costs of breaches that occur on their end — particularly when negligence may have led to the attack. The Target data breach alone will cause financial institutions to lose $480 million in card replacement costs and other expenses, according to estimates by the National Association of Federal Credit Unions.

Merchants should also be required to post their data security policies at the point of sale if they take sensitive financial data and to notify account servicers or owners — including financial institutions — whenever any personally identifiable information has been collected. Such a disclosure requirement would come at little or no cost to the merchant, but would allow consumers to be better educated about what merchants may be doing with their personal information and the risks to which they are exposed.

To help prevent future security issues, breached merchants or retailers should be required to demonstrate that they have taken all necessary precautions to guard data. And Congress should enforce data retention prohibitions in existing agreements between merchants and card companies, as well as establish statutory standards prohibiting retailers from retaining payment card information. Many retailers today store sensitive personal data in their systems, leaving that information vulnerable to breaches.

For the sake of America's economy and consumers, Congress must take steps to protect consumer financial information from cybercriminals. Retailers must be held to the same strict standards of data security and breach notification to which all financial institutions must adhere.

Carrie Hunt is senior vice president of government affairs and general counsel at the National Association of Federal Credit Unions.

For reprint and licensing requests for this article, click here.
Consumer banking Bank technology Law and regulation
MORE FROM AMERICAN BANKER