Breach Notification , Incident & Breach Response , Legislation & Litigation
ABA: Retailers Should Meet Higher Cybersecurity Standards
ABA's Doug Johnson Counters Contentions of Retailers' GroupThe American Bankers Association rejects the Retail Industry Leaders Association's contention that a legislative proposal to hold retailers to the same cybersecurity standards as banks is unfair (see Retailers: Don't Require Us to Meet Bank Security Standards).
Reacting to a letter RILA recently sent to Congress objecting to provisions in the Data Security Act of 2015, also known as H.R. 2205, Doug Johnson, a senior vice president at the ABA, says the criticisms of the legislation are tantamount to grasping at straws in an effort to prevent retailers from having to be subjected to more stringent regulatory scrutiny of their security measures.
"We're really trying to ensure that, to the greatest extent possible, all businesses adhere to the same level of data security," Johnson says in supporting the legislative proposal in an interview with Information Security Media Group.
"One of the things that we continually hear from the retail side is that banks have to have a higher level of security than the retail environment does. And our response to that has always been that even the smallest credit union has to abide by Gramm-Leach-Bliley," Johnson says. "The smallest credit union, which is maybe akin to the size of the smallest coffee shop, actually has the same requirements. But those requirements scale to the size of the institution and the risks that that institution presents to the overall environment and the kind of sensitive data that that entity has."
So why should retailers be expected to meet the same security standards as banks? "Because they have a lot of the same data," Johnson stresses.
Johnson says he's hopeful Congress will vote on compromise legislation establishing cybersecurity standards, as well as a national standard for breach notification, next year.
During this interview (see audio player below photo), Johnson also discusses:
- Why he agrees with retailers that the Federal Trade Commission should be the enforcement body that regulates and enforces cybersecurity for retailers;
- How information sharing between bankers and retailers will help fuel stronger cooperation between the two groups; and
- Why protecting payment data along all points of the financial chain is increasingly critical.
Johnson leads the ABA's enterprise risk, physical security, cybersecurity, business continuity and resiliency policy and fraud deterrence efforts. He represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues.