WASHINGTON (3/27/14)--Sen. Claire McCaskill (D-Mo.) said at a hearing on the Target data breach Wednesday that there just might be a lot of public confusion about where "losses fall and where costs are absorbed" in such breaches.
McCaskill, a member of the Senate Commerce, Science & Transportation Committee that conducted the hearing, noted that companies collecting consumers' personal information are not held financially responsible for the costs that occur when the data is not secure.
"I don't think people understand ... a lot of the costs associated with this breach--in fact the majority--fall on credit unions and local banks instead of Target," McCaskill highlighted.
She noted, "Interchange fees were $19 billion before the Durbin amendment and now they are less than $10 billion." The Durbin Amendment refers to the last-minute addition to the Dodd-Frank Act that capped the fees debit card issuers area allowed to charge merchants for the merchants' customer's use of debit cards.
She continued, "So retailers got almost $10 billion extra as a result of those prices going down. I'm not saying that's good or bad, but I'm trying to say it's important the risk be borne by those who must engage in the activity to protect.
"I think most people thought you guys were covering the cost of this," she said to the retailer. "I think a clarification of where the risk falls is important for us, because it will be better to align those risks with the right incentives in the free market," she stated.
In conjunction with its hearing, the committee released a report alleging that Target missed several opportunities to stop last year's data breach that compromised about 40 million debit and credit card numbers and the personal information of 70 million customers (News Now March 27).
The Credit Union National Association has asked Congress to address data security relative to merchants, who are not held to the same standards of security as credit union and other financial institutions.
In particular, CUNA suggests all payment system participants are held to comparable levels of federal data security requirements; those responsible for the data breach should be responsible for the costs of helping consumers; and those responsible should ensure consumers know where their information was breached.