Retail groups take banks to task over data breach responsibility

Several retail trade organizations including the Retail Industry Leaders Association (RILA) and the National Retail Federation (NRF) have sent a letter identifying what they term "the shortcomings in the financial services' recent arguments about card security." The document seeks to correct any falsehoods in recent comments from the Independent Community Bankers of America (ICBA).

The letter calls for increased information-sharing legislation and chip-and-PIN cards as the number of data breaches continues to grow.

"Retailers bear more of the costs of breaches than banks," write the groups. "We need increased sharing of information between law enforcement and the business community, as well as between retailers and financial institutions and ignoring PIN technology leaves us all more vulnerable."

The letter was sent by the CEOs of RILA, the National Association of Convenience Stores, NRF, the National Grocers Association and the Food Marketing Institute, the National Restaurant Association and the Merchant Advisory Group.

The groups were responding to a press release from the ICBA entitled "Community Banks Reissue Nearly 7.5 Million Payment Cards Following Home Depot Data Breach," which detailed the results of a survey of community banks in the wake of the Home Depot cyberattack earlier this year. They contend the release, including a quote from ICBA's Chairman John Buhrmaster, contained a number of inaccuracies and misrepresentations.

Retailers pay more than 100 percent of the costs associated with breaches at their stores, claims the letter, and retailers share the costs of all card fraud. At issue is the ICBA's blaming retailers for recent breaches.

There is a demand for federal breach notification legislation but not the Gramm-Leach-Bliley Act which does not require banks to inform customers about data breaches.

The letter is the latest in a string of finger pointing between financial institutions and retail groups. In November, ICBA President and CEO Camden Fine released a statement that said, in part, "The real issue that needs to be addressed is that retailers aren't held to these same vital data-protection standards as banks. As we come upon the one-year anniversary of the Target breach, it serves as a stark reminder that the payments chain is only as strong as the weakest link. The costs of data breaches should ultimately be borne by the party at fault for the breach."

For more:
-See this ICBA press release
-Read this RILA letter

Related stories:
Possible Bebe data breach
FBI issues malware alert
Asset management critical to IT security
Shoppers don't feel safe, demand to be compensated for security breaches
Retail security still very much under attack