By: Allison Coccia
It seems like every month we read about another big-time retailer experiencing a massive data breach. Yahoo, Facebook, Dunkin Donuts, Marriott. Who can forget Target and Equifax? Discovery of those breaches often comes years after the breach has occurred and the numbers of those affected seems to grow and grow with each new day’s reports, rocking consumer confidence in the payments system. The average cost of data breaches in the US is now $7.91 million1 and it continues to escalate.
Today, the chances of experiencing a data breach are one in four.2
Community banks embrace their role as guardians of the public trust while providing a safe and secure environment for families and small businesses to meet their banking needs. As part of that commitment, community banks are held to rigorous standards with regard to safeguarding consumers’ personal information. But, financial institutions are only one cog in the payments system’s wheel.
When there is one weak link, the entire system is at risk, exposing consumers’ personal and financial information to ambitious cybercriminals and the like.
For years, the Independent Community Bankers of America (ICBA) has been advocating for several measures to strengthen the data security aspect of the payments system. Here are just three:
COMMUNITY BANKS SET THE STANDARD, OTHERS MUST FOLLOW
There is an inherent weakness in terms of data security in our payments system.
Our payments system is made up of many players; retailers, financial institutions, and others that process or store consumer financial data. However, only financial institutions are required to follow the firm guidelines of the Gramm-Leach Bliley Act (GLBA) when it comes to the safeguarding of individuals’ personal information.
As required by the GLBA, community banks have strict standards in place including privacy and disclosure policies; protective measures to preserve the integrity of consumers’ personal information; preventative measures to deter breaches and notification requirements should a breach occur.
The other participants in the payments system are not held to this same standard.
If we are to have a safe and secure end to end payments system, then all of the participants must be regulated by the same Graham Leah Bliley Act like standards as financial institutions.
THOSE AT-FAULT FOR THE BREACH MUST BEAR RESPONSIBILITY FOR ALL COSTS ASSOCIATED WITH THE BREACH
Merchants like Target and Home Depot may have been at fault for their respective breaches, but it is community banks that foot the bill for the reissuance of secure cards for consumers.
When consumers’ data has been exposed, new card numbers must be issued to halt any further damage that might occur. Reissued cards can cost between $10-15 each, including the costs of mailing, etc.
In February of 2019, ICBA said that “the nation’s community banks have already reissued more than 4 million credit and debit cards at a total reissuance cost of more than $40 million following recent data breaches at major retailers.”3
In 2014 ICBA reported that “community banks across the country had to issue customers ‘nearly 7.5 million credit and debit cards at a total reissuance cost of more than $90 million as a result of the Home Depot data breach.’”4
After each and every breach, community banks pay the price for a fault that is not their own.
Any entity that incurs a breach must be held responsible for all costs associated with that breach.
A hit to these violators’ pocket books may just be the incentive needed to ensure that the proper data security measures are in place.
NATIONAL NOTIFICATION REQUIREMENT NEEDED
Currently, each state has passed their own versions of notification requirements. These laws require those entities who’ve experienced a breach, to notify individuals when their personally identifiable information has or has potentially been breached. That means there are fifty different versions of what constitutes “personal information”, whom to notify, how to notify, when to notify and who shall notify. This causes confusion and further harms the affected consumers.
A national standardized notification requirement would allow merchants to act more swiftly and efficiently to notify consumers and in turn allows consumers to act more quickly to avoid identity theft or mitigate their losses.