Breaches Spark Call for Congress to ActFinancial Services Roundtable Outlines Recommendations
In light of recent high-profile retail breaches, including those at Target and Neiman Marcus, The Financial Services Roundtable is asking Congress to take action. For example, it's calling for passage of a national data breach notification law as well as legislation to expand oversight of the retail and telecommunications sectors.
"The recent breaches of retailer data systems are a grave reminder of the need for robust and proper cyberprotections," says Tim Pawlenty, president and CEO of The Financial Services Roundtable, in a Jan. 27 letter to Congress. The roundtable is an advocacy organization for the U.S. financial services industry.
Cybersecurity improvements are needed in the retail sector as well as the telecommunications industry, "where measures to prevent cyber-attacks, such as the filtering of malicious software and the disconnection of botnet participants, could significantly influence the protection of businesses, consumers and the economy," Pawlenty says.
Measures to create a national data breach notification law (see Why U.S. Breach Notice Bill Won't Pass) as well as legislation to provide legal safeguards to allow the government and industry to share cyberthreat information (see Obama Sides with Anti-CISPA Petitioners and House Handily Passes CISPA) have been introduced in Congress, but lawmakers and the White House have yet to agree on the wording of these bills that could assure their passage in both houses.
Other recommendations outlined in The Financial Services Roundtable's letter include increasing information sharing about cyberthreats through existing mechanisms, such as the Financial Sector Information Sharing and Analysis Center; enhancing criminal penalties for cyber-crimes; increasing federal funding for cyber-research and design; improving international law enforcement cooperation; and supporting efforts to educate the workforce and consumers regarding cyberthreats.
Pawlenty notes the efforts being made by the financial services industry to respond to increasing cyber-risks, including information sharing through the FS-ISAC; development of two new Internet domains for banking and insurance; as well as creating a secure payments environment for transactions information.
"The cyberbattle, however, continues," Pawlenty says. "We must be both constantly vigilant and improving to stay ahead of the threats."
Other Messages to Congress
On Jan. 16, American Bankers Association President and CEO Frank Keating asked Congress to examine the specific circumstances surrounding Target's breach [see: Retail Breaches: Congress Wants Answers].
In a letter to the House and Senate, Keating acknowledged that retailers, banking institutions and all others who play a role in the payments chain all must work to ensure ongoing security. But the ABA asked for more shared responsibility when retail breaches result in fraud.
"When a retailer like Target speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach," he said. "It is often the case that banks must explain to their customers what has happened without the bank knowing where the breach has occurred. Moreover, bankers have historically received little meaningful reimbursement for the costs they have incurred."
Within five days of the ABA sending its letter, the National Retail Federation responded. In a letter to Senate and House leaders, Matthew Shay, the federation's president and CEO, noted that banking institutions and the government "have a critical role to play" when it comes to ensuring card security.
"For years the banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next generation Chip and PIN card technology for customers in Europe and dozens of other markets," Shay said. "Only by working together will consumers' financial data be protected from criminals."
The NRF supports the passage of the Cyber Intelligence Sharing and Protection Act, which would allow the commercial sector to more quickly share information about threats, Shay said.