Crossroads Blog | CYBER SECURITY LAW AND POLICY

Chip and PIN, Congressional Report, Data Breaches, Federal Trade Commission, Finance, Target

Pointing Fingers: Why the US has Fallen Behind on Financial Retail Security

In the United States, the standard payment system is based on payment cards with magnetic stripes that are not encrypted and can easily be read.  It is reportedly easy to forge magnetic stripe cards and the signature on the back of the cards provide criminals with an example of the cardholder’s authentic signature.  In the United States, cybercriminals breached the data security of Target, Home Depot, JP Morgan Chase, Sony, and Adobe, stealing the personal and financial information of millions of customers. In most of the rest of the world, a payment system thought to be more secure, the Chip and PIN system, has been adopted.  Not only does this system rely on encryption at the initial transmission, but the system also changes the encryption every time it is used, making it nearly impossible for a criminal to capture and use cardholder information as it is transmitted and processed through the system.  Yet, in the United States, this technology has not been adopted as the standard. Why has the United States fallen behind on this security matter during a period of time overwhelmed by financial data breaches? According to a recent Congressional Research Service report, The Target and Other Financial Data Breaches: Frequently Asked Questions,

Image Target Financial Breaches

the basic answer is . . . money.  According to the report, the cost of producing a magnetic stripe card (the US standard) is about $0.50 compared with $2.20 to produce a chip card. There are costs to those that adopt the heightened security, but no equivalent benefits.  According to the report, the issue does not fall into the hands of a single player, because in the payment card industry, the players include the businesses accepting payment cards, issuing banks, acquiring banks, the payment card companies, and the merchants.  As a result, a gridlock has occurred from each player pointing their fingers at another player to take responsibility and cover the costs. The report explained the situation in the following way:

To use a simple analogy, in a house shared by several roommates, each wants to see the house kept clean, but no one wants to clean the living room. . . . This creates a similar problem of participants trying to shift the costs of cyber protection to the other participants.

At first, the courts were called to play parent to the disputes between the various parties.  According to the report, the decisions by the courts were made on a case-by-case basis and often litigated under a variety of state laws, and this led to a lack of uniformity in the outcomes. As a result, people are starting to turn to Congress for answers.  The report highlighted the following proposals made during Congressional hearings on the topic:

  • Federal Data Breach Notification Law: Essentially, this law would require companies to notify individuals when their personal identifiable information has been compromised.  There has been some push-back concerning the potential displacement of state laws if Congress enacted this law.
  • Modifying Federal Trade Commission Statutory Power: Currently the FTC does not possess explicit statutory powers to impose monetary penalties or punitive fines on companies for unfair or deceptive trade practices related to a data breach, so some in Congress have called for passage of a law to strengthen the FTC’s statutory authority to penalize businesses that fail to adequately protect consumers’ personally identifiable information.
  • Creating Federal Standards for Data Security, Including for Businesses: Some in Congress are pushing the federal government to create standards for what represents a minimum acceptable level of data security, while others voice concerns that standards would be too rigid for such a rapidly evolving, technology-driven field as data security.  The report describes a number of bills in both the Senate and House that appear to create differing types of federal standards for data security (to read about those bills click here for the full report).  On February 12, 2014, the National Institute of Standards and Technology (NIST) issued its Framework for Improving Critical Infrastructure Cybersecurity, which sets out a voluntary framework.  While the voluntary nature of the framework removed direct means of enforcement, the Congressional Research report points out that the existence of the framework could potentially create a basis for a standard of conduct that could possibly become a benchmark for courts to evaluate liability relating to data security under tort and other law.

While the policy solutions above serve as a baby step in the right direction, they ignore the bigger issue of allocating responsibility to the parties best positioned to protect against cyber breaches. As a result, the finger pointing continues.  For example, according to the report, merchants complain that the excessive market power of payment card companies has forced an undue share of the costs on the merchants, who also bear a high share of penalties and indemnifications for breaches.  Merchants also argue that payment card companies are not spending enough to upgrade security technology.  On the other hand, banks complain that they pay most of the costs to reissue cards and reimburse for fraudulent charges and that often such breaches result from merchants’ security errors. So the players involved do what they can to shift the costs of technological improvements in security.  The payment card industry has announced that effective October 1, 2015, liability for fraudulent transactions (except for ATMS and gas stations) will be assigned to the merchant or issuer that is not Chip and Signature compliant. However, is this the type of problem that should be dealt with by marketplace forces? According to the report, an additional concern voiced by banks and payment card companies was that “if data security were to become a competitive factor, information sharing and cooperating on data security might be more difficult.”  Taking into account the current focus in the cyber landscape on data sharing, this concern could have major implications. Given the above issues, perhaps the only solution is for the government to mandate improvements.  What do you think?  To learn more, read the full report by clicking here.

Leave a Reply