High quality global journalism requires investment. Please share this article with others using the link below, do not cut & paste the article. See our Ts&Cs and Copyright Policy for more detail. Email [email protected] to buy additional rights. http://www.ft.com/cms/s/0/23f1339c-6778-11e4-8970-00144feabdc0.html#ixzz3Ig32KW7W
Banks are gearing up for a big fight with retailers over who covers the cost of cyber attacks, after they paid most of the bill for breaches that they blamed on retailers’ own security deficiencies.
In a rare show of unity, industry bodies that represent banks are banding together to urge lawmakers to introduce legislation that would force retailers to pay for the clean-up themselves during the new session of Congress next year.
High quality global journalism requires investment. Please share this article with others using the link below, do not cut & paste the article. See our Ts&Cs and Copyright Policy for more detail. Email [email protected] to buy additional rights. http://www.ft.com/cms/s/0/23f1339c-6778-11e4-8970-00144feabdc0.html#ixzz3Ig37UOgE
The tussle between the two sectors comes as cyber attacks become an increasingly common problem for companies and highlights the difficulties in deciding who is responsible for the costs. Cyber attacks on retailers Home Depot and Target, for example, affected almost 100m credit cards in the past year.
“This is an equity argument,” said Cam Fine, head of the Independent Community Bankers of America, which has about 5,000 members. “If it was Home Depot’s data security system that was breached, shouldn’t they have to reimburse banks for all of the costs since it wasn’t the banks’ fault? That’s just common sense.”
The data breach at the retailer, which the company reported in September, cost community banks and credit unions at least $160m to reissue cards and pay for other services related to the attack. Home Depot estimated that the breach cost the company at least $62m.
“The weak link in the system today is on the merchant end,” the National Association of Federal Credit Unions and the Credit Union National Association said last week in a letter to retailer and grocer groups. “As long as the security standards on the merchant side of the system are weaker than those on the financial institution side of the system, the vulnerability for consumers and financial institutions will be at your feet.”
The Consumer Bankers Association and the Clearing House, which represents big banks such as JPMorgan, are also part of the effort. JPMorgan was the victim of a large cyber attack this summer.
Banks and retailers have sparred for years over transaction costs, but the latest spate of cyber attacks has heightened animosity between the two groups and ended a brief detente reached this year. In February, retail and banking trade groups had announced a cyber security partnership to increase information-sharing and other initiatives.
Retailers’ representatives rejected the banking industry’s claims. “The suggestion that retailers pay nothing is demonstrably false,” said Brian Dodge, executive vice-president at the Retail Industry Leaders Association, a lobby group.
The costs of unauthorised transactions on hacked credit cards were shared evenly between retailers and banks over time, he added, and retailers also contributed to the cost of reissuing cards.
“This is an effort by the banks to obscure reality and benefit from an issue that’s a challenge to many businesses, not just retailers,” he said.
Banks will be jostling with a host of other interest groups for the attention of Republicans, who won control of the Senate and tightened their grip on the House of Representatives in midterm elections last week. The organisations acknowledge they face challenges since the battle pits two powerful lobbying groups, the banking and retail industries, against each other.
There are a few bills in Congress that would establish national standards for reporting cyber security breaches, but those proposals have stalled. One reason is that various committees in Congress all claim jurisdiction over cyber security issues, sparking turf wars that have delayed legislation.
Banks have to meet the data protection criteria outlined in the 1999 Gramm Leach Bliley Act covering the financial industry, and they argue that similar standards are necessary for retailers and other businesses.
“There are sympathies and loyalties for both industries in Congress so it’s not clear who will win this argument,” said a Senate aide. “But there is more of an urgency to do something because these breaches keep piling up.”