Ahead of the Senate data security hearing on Monday, a group of trade associations that includes CUNA, NAFCU, the ICBA and the ABA, told Congress to hold those who commit data breaches responsible for their costs.
“Although financial institutions bear no responsibility for the loss of the data from a retailer’s system, they assume the liability for a majority of the resulting card-present fraud,” said a letter sent to the Senate Subcommittee on National Security and International Trade and Finance on Monday before their “Safeguarding Consumers’ Financial Data” hearing.
“In most instances, financial institutions have historically received very little reimbursement from the breached entities – literally pennies on the dollar,” said the letter, addressed to committee Chairman Sen. Mark Warner (D-Va.) and Ranking Member Mark Kirk (R-Ill.).
To strengthen the payments system and better protect consumers in the event of a security breach, the organizations recommended establishing a national data security breach and notification standard.
In the letter, the organizations expressed support for the Data Security Act of 2014 (S. 1927) introduced by Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.), which would replace the existing state laws with a national standard for data protection and notice.
Since financial institutions are currently held responsible for the majority of fraud costs, the trades also called on the committee to support legislation that would make financial data thieves responsible for the costs of a breach.
“An entity that is responsible for a breach that compromises sensitive customer information should be responsible for the costs associated with that breach to the extent the entity has not met necessary security requirements,” the letter said.
Data security legislation should also remove unnecessary legal barriers to effective information sharing between law enforcement and retail sectors about security threats, the groups suggested.
“No one organization or sector alone can meet the challenges of sophisticated cyber-crime syndicates, so robust communities of trust and collective protection must constantly be developed,” said the letter.