Bankers may not normally welcome new laws, but where cybersecurity and data breaches are concerned, they might like a little guidance from the Feds – and it certainly wouldn’t hurt if retailers would share a little bit more of the financial burdens of data breaches.
Speaking before a Senate subcommittee on behalf of the American Bankers Association, Doug Johnson, the ABA’s senior vice president of payments and cybersecurity, said that a uniform federal data breach law would better protect consumers than the disparate state laws that exist today.
"Inconsistent state laws and regulations should be preempted in favor of strong federal data protection and notification requirements," he said, according to prepared remarks. "Given the mobile nature of our nation’s citizens, it is clear that the existing patchwork of state data breach laws are unduly complicated for consumers as well as businesses."
In outlining principles that should guide lawmakers in crafting just such a law, Johnson said that the costs of a data breach should ultimately be shouldered by the entity that incurs the breach. This has been a bone of contention between banks and retailers. When a big box retailer suffers a data breach, it’s the affected customers’ banks that usually eat most of the costs associated with stopping and preventing card fraud.
Johnson also told the subcommittee, "The business with the most direct financial relationship with affected consumers should be able to inform their customers and members about information regarding the breach, including the entity at which the breach occurred."
However, he sought to draw lawmakers’ attention to existing laws concerning the protection of consumers’ financial information – specifically, he pointed to provisions of the Gramm-Leach-Bliley Act that outline financial institutions’ responsibilities toward their customers in the event of a breach.
And Johnson also underscored that the payment system is strong and functional, telling the subcommittee: "No security breach seems to stop the $3 trillion that Americans spend safely and securely each year with their credit and debit cards. … And with good reason: Customers can use these cards confidently because their banks protect them by investing in technology to detect and prevent fraud, reissuing cards and absorbing fraud losses."
He said, "Bankers are acknowledged leaders in defending against cyber threats. … Therefore, from the financial services perspective, it is critical that legislation takes a balanced approach that builds upon – but does not duplicate or undermine – what is already in place and highly effective in the financial sector."
