Last week, Home Depot became the latest large retailer to admit that its payment systems were breached and private information related to millions of its customers was stolen by criminals. A staggering 56 million Home Depot customer credit and debit cards, more even than the 40 million cards in last year’s Target breach, were compromised. The private information stolen over the last six months included debit and credit card numbers that can be used by criminals to initiate fraudulent transactions.
Home Depot posted information on its website regarding the breach including the statement that “you will not be responsible for any fraudulent charges to your accounts.” That is true. However, it is America’s banks that will reimburse you for any fraudulent charges to your account, not Home Depot.
Shockingly, Congress has yet to pass legislation that would require Home Depot and other retailers to make their customers financially whole in situations like this recent breach. Even though the Home Depot breach was due entirely to the company’s information security failure, your bank will be the one that helps you deal with the financial consequences in the event that your information is used for fraudulent transactions.
Only two segments of the vast U.S. economy are subject to federal requirements related to information security: the financial services industry through the Gramm-Leach-Bliley Act of 1999 and the health care industry through the Health Insurance Portability and Accountability Act of 1996. Retailers, restaurants, hotels, processors and every other participant in America’s payment system have no legal requirement to bear financial responsibility should their systems be breached and customer information stolen and used for fraudulent transactions.
So, the financial burden of Home Depot’s breach will fall on America’s banks, small and large. And the financial burden is not only to reimburse customers for fraud losses. Banks also bear the expense of reissuing debit and credit cards and other measures to protect their customers. Banks are national leaders in preserving the security of customer data. The industry dedicates hundreds of millions of dollars annually to data security and adheres to strict regulatory and network requirements. Unlike retailers, banks are also subject to robust oversight and examination at both the federal and state levels.
As evidenced by the Home Depot breach, criminal elements are growing increasingly sophisticated in their efforts to breach the payments system, and are attacking areas of perceived vulnerability such as retailers. It’s time for retailers and others to improve their systems so that consumers are better protected.
The good news is that large retailers have agreed to accommodate more secure chip-embedded debit and credit cards by October 2015. This technology has been in place for many years in Europe and other parts of the world and has proved effective in reducing fraud. However, use of debit and credit cards for online purchases will not benefit from the chip technology. So, diligence by retailers to strengthen their information security and payment systems will still be required.
The Federal Trade Commission is the regulatory agency charged with overseeing retailers. It is time for Congress to hold the FTC accountable for exercising effective oversight of retailers to protect consumers. I applaud Sen. Richard Blumenthal, D-Conn., for leading a call to hold the FTC accountable. I also applaud Attorney General George Jepson for joining with four other states to investigate the Home Depot breach.
It is time for Congress to pass legislation to hold retailers and other users of the U.S. payment system accountable for their information security. Our payment system is made up of a wide variety of players: banks, card networks, retailers and processors. Protecting this system is a shared responsibility of all parties involved and each party must invest the necessary resources to combat increasingly sophisticated threats to breach the payments system. Each party must also bear the full responsibility, including financial, for breaches of their part of the payment system. It is time for Congress to pass legislation to hold all parties accountable.
Martin J. Geitz is president and CEO of Simsbury Bank and president of the Connecticut Community Bankers Association.