Banking regulators and lobbyists are calling for nonfinancial companies to be held to the same rules financial instutitions are when there is a data-security breach involving customer data. Speaking in front of the Senate Banking Committee on Thursday, Federal Reserve Governor Daniel Tarullo said there should be “uniform requirements on disclosure when breaches have actually taken place,” according to a Reuters report.
Banks have to notify customers of data breaches on a timely basis and take steps at remediation. But retailers and other players in the electronic payments system, including third-party processors, do not have such strict rules, Reuters said.
Bank lobbyists chimed in earlier this week with a letter to legislators. “We believe that legislation should be enacted to better protect consumers by replacing the current patchwork of state laws with a national standard for data protection and notice,” the American Bankers Association, Consumer Bankers Association and other groups wrote on Monday.
The calls for better disclosure come in the wake of high-profile data security breaches at Target and Nieman Marcus. Both retailers dragged their feet in disclosing the incidents to the public. Nieman Marcus, for example, has revealed that it received information about a possible credit card data breach at its stores as early as before Christmas; a public announcement of the breach did not take place until Jan. 10, according to a January 28 story in DealBook.
The calls for faster, better disclosures don’t all center on the need to notify customers so that they can protect their personal information. As of January 28, neither Neiman Marcus nor Target “has submitted a filing with the Securities and Exchange Commission giving an estimate of the potential costs of the hacking they experienced, leaving shareholders in the dark about the effect of these episodes,” according to DealBook.
“For any retailer, a cyberattack may drive customers away and affect income through increased expenses for stronger computer security, providing identity theft protection to affected customers and refunding of any fraudulent charges,” the DealBook story said.
Meanwhile, on Wednesday, several news outlets reported that Target’s data security breach was linked to network credentials stolen from a heating and air conditioning subcontractor in Pennsylvania.