Who Should Pay?

by Walter Pierce

Banks are the ones taking the financial hit for retail security breaches, and that just doesn't seem fair.

Banks are the ones taking the financial hit for retail security breaches, and that just doesn't seem fair. By Patrick Flanagan

Monday, Sept. 15, 2014

Michael's, Neiman Marcus, Sally Beauty, Target, and most recently Home Depot. All are victims of security breaches targeting customer debit and credit cards.

For each of these breaches, which have resulted in the loss of millions, it's neither the consumer nor the retailer who's responsible for covering the financial burden. That obligation, like it or not, has fallen on the shoulders of the banking industry.

Home Depot's breach was first reported Sept. 2 by the blog, prompting a response the next day from the company's CEO, Frank Blake, who was quick to point out that customers wouldn't be financially responsible for any fraudulent charges they may have incurred.

"One thing I would note is these breaches are taking place at retailers, and retailers have obviously been more vulnerable than other areas of the economy," says Bob Taylor, president and CEO of the Louisiana Bankers Association. "One of the things that sets the banks apart is the fact that we have a pretty significant regulatory apparatus that we have to follow."

These increased regulations came in 2005, notes Taylor, including sweeping requirements for the banking industry to prepare for security breaches.

Bob Taylor, Louisiana Bankers Association

"This guidance tells us what to do if we have a security breach; it gives us protocol and expectations we have to meet for safeguards in employee training, privacy policies, security, encryptions, fraud detection software," says Taylor. "We're at the front lines. The banks are in a unique situation of having people's info and also having pretty significant regulatory obligations. If you look at the retail industry, they don't have that. And by not having that, we're seeing, even after the Target breach, that you have retailers who are apparently not doing what they need to do to secure their data."

For the banking industry, this is a problem - a very expensive one. Retailers have no liability in the event of a breach, leaving the burden solely on the banks.

"Obviously, the banking industry believes the retailer ought to be more liable and have more rigorous regulatory requirements to protect the consumer; for the consumer's sake, Home Depot's sake," says Taylor. "The bank is a third-party in this. We're not involved in the breach, but we're the one who has to make it whole."

In just the Home Depot case alone, that breach, estimates Taylor, cost the banking industry about $20 million.

The solution? According to Taylor, it all centers on federal regulations being imposed on the retail industry, much like the guidelines imposed on banks in 2005.

That, however, will require an act of Congress, which Taylor says he doesn't see happening at least until next year, after the upcoming elections.

"The retail merchants need to be held to the same standards as the banking industry in how they go about protecting their information," argues Taylor. "Unfortunately, this will need to come from Congress.

Fact is, we keep seeing this over and over again. Obviously there's a problem, and the retail industry isn't addressing it. Target's CEO lost his job over their breach, which shows that if you're running a large retail business, this is something you need to be more involved in and addressing. And it'll be interesting to see how the Home Depot thing plays out."

According to Stephen Holmes of Home Depot's public relations department, measures are in the works to tighten the company's security and prevent further attacks.

Though he wouldn't comment on the need for increased regulations on the retail industry, Holmes did say the company is taking the threat of cyber attacks seriously, and "will roll out EMV Chip and PIN' to all U.S. stores by the end of this year, well in advance of the October 2015 deadline established by the payments industry."

Photo by Robin May

This issue doesn't just threaten big box stores like Home Depot and Target, according to Lou Velez, resident agent-in-charge of the U.S. Secret Service office for the Western District of Louisiana.

"We just had a major breach in Louisiana, but it never even made the news," Velez tells ABiz. "We can't divulge what company, the people involved would have to do that, but I can say it was a retailer - a fast food chain in Louisiana."

One of the big problems, says Velez, is that many of the retailers targeted in cyber breaches aren't IT savvy, and oftentimes don't realize they've been attacked until it's too late.

"Like any system, you should know how it works," says Velez. "You should go in routinely to see if there's anything that doesn't belong. Best practices should be put in place. You can't be totally secure, but you can minimize the possibility of being breached. It's just like a burglar alarm - it needs to be tested. Most of the time these businesses are too busy doing their business, and cyber security isn't as much of a priority."

The issue, according to Velez, first surfaced in 2008, and along with the big box retailers, has also affected locally owned mom and pop stores as well, though the big payoff for hackers comes from the larger companies.

"Some of the smaller companies are starting to take measures, but a lot of this is financial, so the bigger company, which has more assets, is more likely to up their security," says Velez. "And consumers should also be more aware when they're using their cards. They shouldn't be afraid to use them, but they should check their bank account statements at least once a week. As long as the consumer is also vigilant, they'll know when something is out of whack."