Advocacy

Data Security and Fraud

Safeguarding customer information is critical to maintaining public trust and retaining customers. However, bad actors will continue to look for weaknesses in the payments and information systems in various industries, and breaches will occur.

ICBA Policy Resolution

Data Security and Fraud

Position

  • All participants in the payments and financial systems, including merchants, aggregators, technology companies, and other entities with access to customer financial information, should be subject to Gramm-Leach-Bliley Act-like data security standards.
  • ICBA supports a national data security breach and notification standard to replace the current patchwork of state laws.
  • Community banks should be notified by impacted entities of a potential and/or actual breach as expeditiously as possible in order to mitigate losses.
  • The costs of data breaches should ultimately be borne by the party that incurs the breach. Barring a shift in liability to the breached entity, community banks should have continued access to various cost-recovery options, including account recovery programs and litigation.
  • All stakeholders must continue to freely innovate to effectively protect consumer data and consumer confidence.
  • ICBA supports stronger data security standards and practices for regulatory agencies and staff.

 

Background

Data breaches at credit bureaus, retail and hotel chains, social media networks, and elsewhere jeopardize consumers’ financial integrity and confidence in the financial services industry. Community banks are strong guardians of the security and confidentiality of customer information as a matter of good business practice and legal and regulatory compliance. 

Safeguarding customer information is critical to maintaining public trust and retaining customers. However, bad actors will continue to look for weaknesses in the payments and information systems in various industries, and breaches will occur.

Extend Gramm-Leach-Bliley Act-Like Standards. Under current federal law, retailers, technology companies, and other parties that process or store consumer financial data are not subject to the same federal data security standards and oversight as financial institutions.

Securing data at financial institutions is of limited value if it remains exposed at the point-of-sale and other processing points. To effectively secure customer data, all participants in the payments system, and all entities with access to customer financial information, should be subject to and maintain well-recognized standards such as those created by the Gramm-Leach-Bliley Act (GLBA).

A National Data Security Breach and Notification Standard is Vital. Many states have enacted laws with differing requirements for providing notice in the event of a data breach. This patchwork of state notification laws and overly broad notification requirements only increase burdens and costs, foster confusion, and ultimately are detrimental to customers. 

While notifying customers is appropriate, any national notification standard needs to be accompanied by GLBA-like data security standards for all participants of the financial services industry to provide consumers a greater level of protection. Federal banking agencies should continue to set the standard for financial institutions.

Banks Need Timely and Enhanced Breach Notification. It is equally important that community banks receive timely notification concerning the nature and scope of any breach that may have compromised customer information so that they may take steps to mitigate any damage. Enhanced breach notification can save community banks time and money and is in the best interest of customers.

Breach Liability Should Incentivize Stronger Security. Regardless of where a breach occurs, as stewards of the customer financial relationship, banks take a variety of steps at their own expense to protect the integrity of customer accounts. However, these costs should ultimately be borne by the party that incurs the breach. Barring a liability shift, community banks should have access to various cost recovery options. Too often, the breached entity evades accountability while financial institutions are left to mitigate damages to their customers.

Regulators Should Hold Data Securely. Despite issuing rules, regulations, and guidance, and examining financial institutions for the safekeeping of customer data, regulatory bodies have also been subject to data breaches. During bank examinations, regulators become privy to, and hold, sensitive bank information, including customer information.

Like banks, regulatory agencies have a responsibility to safeguard this sensitive information. Liability for a potential breach of the regulators’ systems may be unfairly assigned to the community banks that submitted data to them, though they did so securely.

Staff Contacts: Steven Estep, Lilly Thomas, and Amy Roberti