Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, February 4, 2014

Hearing witnesses urge Congress to enact laws to safeguard consumers’ financial data

By J. Preston Carter, J.D., LL.M.

Witnesses at the Senate Banking Committee’s Subcommittee on National Security and International Trade and Finance hearing on Feb. 3, 2014, titled ”Safeguarding Consumers’ Financial Data,” thanked lawmakers for seeking ways to avoid repeats of criminal attacks in which card numbers and other personal data belonging to more than 100 million consumers were stolen late last year and urged Congress to act on legislation to “stop this kind of fraud in its tracks.”

FTC enforcement. Jessica Rich, Director, Bureau of Consumer Protection, Federal Trade Commission, told lawmakers that “Data security is of critical importance to consumers. If companies do not protect the personal information they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm.” She pointed to Bureau of Justice Statistics estimating that 16.6 million persons—or 7 percent of all U.S. residents ages 16 and older—were victims of identity theft in 2012.

Rich noted that, to promote data security, the FTC enforces several statutes and rules that impose obligations upon businesses that collect and maintain consumer data. These include the proscription against unfair or deceptive acts or practices in Section 5 of the FTC Act; the Gramm-Leach-Bliley Act; the Fair Credit Reporting Act; and the Children’s Online Privacy Protection Act. Since 2001, the agency has used its authority to bring cases against businesses that it charged with failing to provide reasonable protections for consumers’ personal information

Her testimony reiterated the FTC’s support for Congress to enact data security legislation that would: strengthen its existing authority governing data security standards on companies; and require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach.

Kirk announces anti-hacking bill. At the subcommittee hearing, Ranking Member Sen. Mark Kirk (R-Ill) announced that he will introduce the Credit Card Theft Sentencing Act, which would create mandatory sentences for individuals found guilty of hacking. The bill would make the consumer hacking of more than 1 million credit card numbers a crime punishable by 25 years in prison.

"Each year, consumer hackers steal millions of dollars from Americans and gravely threaten the safety of our nation's financial system," Kirk said. "These criminals must face real consequences. Our laws do not sufficiently punish cyber criminals, and these devastating breaches of confidential information must be punished." The measure also offers a series of mandatory minimums, with each penalty dependent on the computer crime committed. These crimes deserve more prison time, Kirk said, because of their seriousness and the vast sums of money involved.

ABA calls for shared responsibility. James Reuter, executive vice president of FirstBank in Lakewood, Colo., testified on behalf of the American Bankers Association that, even with the recent breaches, “our payment system remains strong and continues to support the $3 trillion that Americans spend safely and securely each year with their credit and debit cards.”

Reuter emphasized that the banking industry’s overarching priority in breaches like that of Target’s is to protect consumers and make them whole from any loss due to fraud. “When a retailer like Target speaks of its customers having ‘zero liability’ from fraudulent transactions, it is because our nation’s banks are making customers whole, not the retailer that suffered the breach,” Reuter said. “Banks swiftly research and reimburse customers for unauthorized transactions, and normally exceed legal requirements by making customers whole within days of the customer alerting them.”

However, Reuter said that “Banks, retailers, processors and all other participants in the payments system must share the responsibility of keeping the system secure, reliable and functioning in order to preserve customer trust. That responsibility should not fall predominantly on the financial services sector.” He added that, while banks bear over 60 percent of reported fraud losses, they have accounted for less than 8 percent of reported breaches since 2005.

“More needs to be done to stop this kind of fraud in its tracks,” Reuter said. “As such, a national standard for data security and breach notification, as contained in S. 1927, the Data Security Act of 2014 (see Banking and Finance Law DailyJan. 17, 2014), is of paramount importance.”

Financial services industry proposes national data breach standard. A number of financial services industry organizations sent a letter to the Senate Banking Committee proposing several recommendations they believe would help to strengthen the payments system and better protect consumers in the event of a breach:

  • Establish a national data security breach and notification standard.

  • Make those responsible for data breaches responsible for their costs.

  • Better sharing of threat information.

The letter was sent by the ABA, The Clearing House, Consumer Bankers Association, Credit Union National Association. Financial Services Information Sharing and Analysis Center, The Financial Services Roundtable, Independent Community Bankers of America, and

National Association of Federal Credit Unions.

Transnational cyber crime. Advances in computer technology and greater access to personally identifiable information via the Internet have created a virtual marketplace for transnational cyber criminals to share stolen information and criminal methodologies, according to testimony of William Noonan, Deputy Special Agent in Charge, United States Secret Service. As a result, he said, the Secret Service has observed a marked increase in the quality, quantity, and complexity of cyber crimes targeting private industry and critical infrastructure.

These crimes include network intrusions, hacking attacks, malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy. Noonan said that the recently reported data breaches of Target and Neiman Marcus are just the most recent, well-publicized examples of this decade-long trend of major data breaches perpetrated by cyber criminals who are intent on targeting our nation’s retailers and financial payment systems.

The Secret Service is authorized to investigate violations of 18 U.S.C. §1029-1030, which were enacted as part of the Comprehensive Crime Control Act of 1984; and which criminalized unauthorized access to computers and the fraudulent use or trafficking of access devices—defined as any piece of information or tangible item that is used as a means of account access that can be used to obtain money, goods, services, or other thing of value.

Noonan said that, while there is no single solution to prevent data breaches of U.S. customer information, legislative action could help to improve the nation’s cybersecurity, reduce regulatory costs on U.S. companies, and strengthen law enforcement’s ability to conduct effective investigations.

NRF calls for card security, nationwide data breach notification standard. Mallory Duncan, General Counsel of the National Retail Federation, told the committee that retailers are spending billions of dollars to prevent criminals from stealing consumers’ credit and debit card information but that banks need to fix their fraud-prone cards if the efforts are to succeed. “We have every reason to want to see fraud reduced, but we have only a portion of the ability to make that happen. We did not design the system, we do not configure the cards, and we do not issue the cards. We will work effectively to upgrade the system, but we cannot do it alone.”

Duncan said retailers are exploring a number of long-term options to improve card security but that banks in the meantime need to switch to new PIN and Chip cards that would require use of a secret personal identification number instead of a signature and would encrypt card data on an embedded computer micro-chip instead of storing it on a magnetic stripe. The cards are used in about 80 countries around the world but, Duncan asserted, banks have balked at issuing them here despite repeated requests by retailers.

Duncan called on the Senate to give final approval to the Cyber Intelligence Sharing and Protection Act (H.R. 624), House-passed legislation that would make it easier for the commercial sector to share information about threats and ensure that cyber crimes are thoroughly investigated and prosecuted. NRF also wants Congress to replace the varying state data breach notification laws with a single nationwide standard.

Increase protections under EFTA. Edmund Mierzwinski, Consumer Program Director, U.S. Public Interest Research Group, urged Congress to “carefully weigh” its response to the Target data breach. He said, “Increasing consumer protections under the Electronic Funds Transfer Act (EFTA), which applies to debit cards, to the gold standard levels of the Truth In Lending Act, which applies to credit cards, should be the first step.” Mierzwinski offered the committee 10 recommendations for reform:

  1. Congress should improve debit/ATM card consumer rights and make all plastic equal.

  2. Congress should not endorse a specific technology, such as EMV (parent technology of Chip and PIN and Chip and Signature). If Congress takes steps to encourage use of higher standards, its actions should be technology-neutral and apply equally to all players.

  3. Investigate card security standards bodies and ask the prudential regulators for their views.

  4. Congress should not enact any new legislation sought by the banks to impose their costs of replacement cards on the merchants.

  5. Congress should not enact any federal breach law that preempts state breach laws or, especially, preempts other state data security rights.

  6. Congress should allow for private enforcement and broad state and local enforcement of any law it passes.

  7. Any federal breach law should not include any “harm trigger” before notice is required.

  8. Congress should further investigate marketing of overpriced credit monitoring and identity theft subscription products.

  9. Review Title V of the Gramm-Leach-Bliley Act and its data security requirements.

  10. Congress should investigate the over-collection of consumer information for marketing purposes. More information means more information at risk of identity theft. It also means there is a greater potential for unfair secondary marketing uses of information.

Multi-layered approach. Troy Leach, Chief Technology Officer, PCI Security Standards Council, emphasized that “there is no single answer to securing payment card data. No one technology is a panacea; security requires a multi-layered approach across the payment chain.” He said that recent data breaches underscore the importance of “constant vigilance in the face of threats to payment card data. We are hopeful that this hearing will help raise awareness of the importance of a multi-layered approach to payment card security.”

Since the threat landscape is constantly evolving, Leach said, the PCI SSC expects its standards will do the same. According to Leach, confidence that businesses are protecting payment card data is paramount to a healthy economy and payment process—both in person and online. He noted that more than one thousand of the world’s leading retailers, airlines, banks, hotels, payment processors, government agencies, universities, and technology companies have joined the PCI Council as members and as part of “our assessor community to develop security standards that apply across the spectrum of today’s global multi-channel and online businesses.”

However, Leach added, there are also “very clear ways” in which the government can help improve the payment data security environment. He called on the government to champion stronger law enforcement efforts worldwide, due to the global nature of these threats, and to encourage stiff penalties for crimes of this kind to act as a deterrent.

ICBA urges breach costs borne by responsible parties. In a statement to the hearing, the Independent Community Bankers of America said that community banks are absorbing the costs of making their customers whole following the recent data breaches at major retailers such as Target and Neiman Marcus. ICBA said that the costs of reissuing cards, responding to customer concerns and protecting against fraud can be significant and should ultimately be borne by the party at fault for the breach.

ICBA also noted that financial institutions have been subject to rigorous data-protection standards under the Gramm-Leach-Bliley Act, which have been effective in securing consumer data at financial institutions. To adequately protect consumers and the payments system, all participants in the payments system—including merchants—should be subject to GLBA-like standards, the association said.

Companies: American Bankers Association; The Clearing House; Consumer Bankers Association; Credit Union National Association; Financial Services Information Sharing and Analysis Center; The Financial Services Roundtable; FirstBank; Independent Community Bankers of America; National Association of Federal Credit Unions; National Retail Federation; PCI Security Standards Council; U.S. Public Interest Research Group

MainStory: TopStory IdentityTheft Privacy

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.