Banks, Retailers Fail to Fully Agree On Data Breach Legislation Details

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Alexei Alexis

Dec. 4 — A coalition of leading financial services and retail industry groups Dec. 4 announced progress in some areas of cybersecurity but was unable to reach agreement on an important component—principles for consumer data breach legislation.

The Merchant-Financial Cyber Partnership has agreed to work on protocols for threat information sharing between the two sectors and to outline principles for protecting the payment system. The group Dec. 4 posted principles on customer authentication and technologies that minimize the value of information if it is stolen, lost or breached in a next steps document.

“Collaboration between our industries and with law enforcement will help protect consumers from cyber criminals,” Tim Pawlenty, Financial Services Roundtable chief executive officer and partnership co-chairman, said in a Dec. 4 statement. “This Partnership has formed key links between our industries and we are hopeful these relationships will improve the entire payment system.”

However, talks fell apart on regulatory issues related to data breaches.

Allie Brandenburger, a spokeswoman for the Retail Industry Leaders Association, told Bloomberg BNA Dec. 4 that since “we represent substantially different constituencies and answer to different regulators,” the groups were unable to reach full consensus.

Letter to Congress

As part of the effort, the partnership also urged Congress in a Dec. 3 letter to pass legislation that would provide liability protection to companies that share cyberthreat data with other private sector entities or the government.

While both the financial services and retail industries agree on the need for data breach legislation, the two sides have feuded for years over the details. Tensions have escalated in the wake of recent breaches, with each side saying the other should bear primary responsibility for hacks that compromise payment cards.

The industry partnership was formed in April,after retailers such as Target Corp. and Neiman Marcus Group Ltd. reported high-profile data security breaches, triggering a flurry of congressional hearings and bills.

Since the partnership's formation, additional breaches have been reported by national retailers, such as Home Depot Inc. and Kmart.

To contact the reporter on this story: Alexei Alexis in Washington at

To contact the editor responsible for this story: Heather Rothman at

Full text of the summary of the partnership's next steps is available at

Full text of the partnership's letter to Congress is available at