Massachusetts bankers are hoping the legislature finds the time this session to pass a data breach bill that would shift some of the cost burden affiliated with data breaches back onto the shoulders of retailers, where banks say it belongs.

The bill, titled “An Act Relative to the Security of Personal Financial Information,” would hold retailers responsible for some of the costs associated with handling the fallout from a data breach. In the aftermath of high-profile breaches at big-box retailers like Target and Home Depot, bankers say they’re the ones left holding the bag for fraud control.

“Clearly the level of industry frustration and angst is increasing as the number of major big box retailers continue to have exposure as a result of these breaches,” said Kevin Kiley, executive vice president and chief operating officer of the Massachusetts Bankers Association.

The bill is a slightly modified version of the draft the MBA lobbied to pass last year. The bill didn’t pass in the last session largely because the Legislature just didn’t get around to it, but as data breaches continue to dominate headlines, bankers hope legislators will take up the cause once and for all.

Retailers, understandably, are none too happy about the proposed bill.

“We will oppose the legislation with everything we can,” said Jon Hurst, president of the Retailers Association of Massachusetts. “If it looks like it’s going to have legs, we are going to insist it be paired with state interchange legislation that will bring the federal swipe fee of 24 cents … up by at least 50 percent.”

While bankers contend that they’re on the hook for the cost of reissuing cards, stopping unauthorized payments and closing and reopening compromised accounts, Hurst said that banks should already be able to recoup those costs through interchange fees and fines levied by the Federal Trade Commission and Payment Card Industry Security Standards Council against retailers not in compliance with data security standards. Using state legislation to collect from retailers, he said, effectively amounts to collecting on the same costs three times.

And with migration to EMV anticipated later this year, he said, it’s basically a moot point.

“Come October, retailers are already going to be liable for these costs if they have not upgraded their systems to accept PIN and chip, so why are they even still pushing this legislation?” Hurst said. “If the fault is with the retailer, that’s going to happen anyway in October. You have to raise the question: are the banks really doing what they need to do to prevent fraud?”

Suing Target In Minnesota

The question over who should pay for those costs incurred after a data breach is also at the center of a lawsuit currently pending against Target Corp. in Minnesota. In that suit, a group of banks claiming class action status are seeking to recoup some of the expenses they incurred after Target’s data breach late in 2013.

Gary Lynch, a partner in the Pittsburgh law firm Carlson Lynch Sweet & Kilpela, said that about 35 banks nationwide sued Target over the data breach, but the case is moving forward with just five plaintiffs chosen from around the country – and one of them is Whitman-based Mutual Bank.

According to the suit, the banks allege that shoddy or subpar data security practices on the part of Target cost them time, money and customer trust. The suit further alleges that Target violated several Minnesota laws by failing to delete certain card security code data more than 48 hours after it authorized transactions, and by failing to meet its responsibility for notifying financial institutions of the breach.

The key, Lynch said, is that the plaintiffs chose to file the suit in Minnesota because that state does have a law similar to the one Massachusetts bankers are hoping to push through this year.

“[Minnesota is] one of the few states that has enacted legislation that sets the standard of care that retailers have to meet when they’re handling their database and IT systems,” he said. “We’ve had a situation where the risk of loss has essentially been born by the banks. This statute, I think, properly assigns that risk of loss to the retailers.”

Lynch, who worked with the MBA to draft the legislation, said that the Minnesota statute “cuts right to the chase, defines the duty of care and assigns the risk of loss,” though he added that courts also have the ability to define the standard of care, too.
Last fall, Target’s lawyer failed to convince a judge to dismiss the lawsuit. Lynch said the case is now proceeding into the discovery phase.