Banks and retailers may be gearing up for a battle royale over whose responsibility it is to foot the bill when cyber-criminals attack.
Industry bodies that represent banks are urging lawmakers to introduce legislation during the new session of Congress next year that would make retailers pay for cleanup costs themselves.
Banks have complained – particularly in the string of breaches that have started with Target and most recently capped off with Target’s successor as the “biggest breach in history” Home Depot – that their institutions are picking up tab for breaches caused by lapses in merchant security protocols.
“This is an equity argument,” said Cam Fine, head of the Independent Community Bankers of America, which has about 5,000 members. “If it was Home Depot’s data security system that was breached, shouldn’t they have to reimburse banks for all of the costs since it wasn’t the banks’ fault? That’s just common sense.”
Community banks and credit unions are already on the hook for $160 million in costs related to reissuing cards and other services related to the attack.
Home Depot estimated that the breach cost them at least $62 million.
Previous legislation that would have established national standards for reporting cyber braches have stalled–usually over turf disputes between Congressional members because many different committees claim authority over cyber-security.
“There are sympathies and loyalties for both industries in Congress so it’s not clear who will win this argument,” said a Senate aide. “But there is more of an urgency to do something because these breaches keep piling up.”
Retail and banking trade groups had announced a cyber security partnership to increase information-sharing and other initiatives in February 2014, marking a temporary truce in the battle over which institutions are responsible for bearing the majority of the costs of criminal activity.
That truce, however, seems to be at an end.
“The weak link in the system today is on the merchant end,” the National Association of Federal Credit Unions and the Credit Union National Associationsaid last week in a letter to retailer and grocer groups. “As long as the security standards on the merchant side of the system are weaker than those on the financial institution side of the system, the vulnerability for consumers and financial institutions will be at your feet.”
Retailers had an unexpectedly different view of the situation.
“The suggestion that retailers pay nothing is demonstrably false,” said Brian Dodge, executive vice-president at the Retail Industry Leaders Association. “This is an effort by the banks to obscure reality and benefit from an issue that’s a challenge to many businesses, not just retailers.”