Banking Groups Urge Robust Oversight Of Retailers to Help Prevent Cyberattacks

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jeff Bater and Alexei Alexis

Nov. 12 — Financial industry groups Nov. 12 told congressional leaders that robust oversight will help U.S. retailers protect consumers from cyberattacks—an assertion that could fuel tension between the two sectors in the debate over data security.

U.S. financial institutions are already subject to extensive data security regulations under the Gramm-Leach-Bliley Act (GLB Act), but retailers aren't covered by any such requirements at the federal level, according to a letter from the financial industry groups.

“It is only when coupled with the development of strong internal data protection standards and robust oversight that the retail community will find itself in a better position to protect consumers and their confidential personal financial information from criminal abuse,” wrote the American Bankers Association, the Consumer Bankers Association, The Clearing House, the Credit Union National Association, the Financial Services Roundtable, the Independent Community Bankers of America and the National Association of Federal Credit Unions.

Dueling Letters

The coalition said it was seeking to “set the record straight” after a Nov. 6 letter from retail industry groups to Congress.

Retail groups have encouraged the enactment of a federal data security breach notification bill that would preempt an existing patchwork of state laws. But they have rejected the idea of a carve-out for financial institutions.

“Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit,” the recent retail industry letter said.

Despite a major data security breach recently reported by JPMorgan Chase & Co. and news that several other banks have suffered similar incidents, regulators haven't required financial institutions to provide “the same detailed notice to their customers as is required of other businesses under law,” according to the retail letter.

The dueling letters are part of an ongoing dispute between the two industries over data security bill issues. Groups from both sides agreed earlier in 2014 to work toward an agreement under the umbrella of a broader cybersecurity partnership. But differences have since emerged that might ultimately lead to a stalemate, industry sources previously told Bloomberg BNA.

Bills Pending

The industry partnership was formed after retailers, such as Target Corp. and Neiman Marcus Group Ltd., reported high-profile data security breaches, triggering a flurry of congressional hearings and bills.

Among other pending measures, a proposal (S. 1976) introduced by Sen. Jay Rockefeller (D-W.Va.), chairman of the Senate Commerce, Science and Transportation Committee, would authorize the Federal Trade Commission to enforce new rules requiring retailers and other companies to protect sensitive consumer data, such as credit or bank account information, and to notify individuals in the event of a breach. Violators would face civil penalties.

The commission now relies substantially on Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits “unfair and deceptive” trade practices, to pursue data security cases.

The Rockefeller bill would provide a regulatory carve-out for financial institutions that are in compliance with data security rules under the GLB Act. The senator's proposal and other bills to give the FTC new data security powers have stalled since they were introduced earlier in 2014. Similar legislation has died in previous congresses.

In a related development, President Barack Obama in October unveiled an executive order to strengthen the security of government credit and debit cards as part of a broader initiative to protect consumers' financial information in light of recent breaches. But he said that Congress still needs to do its part by moving forward on stalled data security legislation.

To contact the reporters on this story: Jeff Bater in Washington at jbater@bna.com; Alexei Alexis in Washington at aalexis@bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com

The financial industry letter is available at http://fsroundtable.org/industries-equal-data-security-standards/.

The retail industry letter is available at https://nrf.com/sites/default/files/Final%20Merchant%20Group%20Letter%20to%20Congressional%20Leaders%20on%20Data%20Breach.pdf.