- All participants in the payments and financial systems, including merchants, aggregators and other entities with access to customer financial information, should be subject to Gramm-Leach-Bliley Act-like data security standards.
- ICBA supports a national data security breach and notification standard to replace the current patchwork of state laws.
- Community banks should be notified of a potential and/or actual breach as expeditiously as possible in order to mitigate losses.
- The costs of data breaches should ultimately be borne by the party that incurs the breach. Barring a shift in liability to the breached entity, community banks should continue to be able to access various cost recovery options after a breach, including account recovery programs and litigation.
- All stakeholders must continue to freely innovate to effectively protect consumer data and confidence.
- ICBA strongly supports ongoing regulatory efforts and existing voluntary public-private partnerships to address the growing threat of cyber-attacks.
- ICBA supports stronger data security standards and practices for regulatory agencies and staff.
Data breaches at a national credit bureau, national retail chains and elsewhere have the potential to jeopardize consumers’ financial integrity and confidence in the payments system. Community banks are strong guardians of the security and confidentiality of customer information as a matter of good business practice and legal and regulatory requirements. Safeguarding customer information is central to maintaining public trust and retaining customers. However, bad actors will continue to look for weaknesses in the payments and information systems in various industries and breaches will occur.
Extend Gramm-Leach-Bliley Act-Like Standards
Under current federal law, retailers and other parties that process or store consumer financial data are not subject to the same federal data security standards and oversight as financial institutions. Securing financial data at financial institutions is of limited value if it remains exposed at the point-of-sale and other processing points. To most effectively secure customer data, all participants in the payments system, and all entities with access to customer financial information, should be subject to and maintain well-recognized standards such as Gramm-Leach-Bliley Act-like standards.
A National Data Security Breach and Notification Standard is Vital
Many states have enacted laws with differing requirements for providing notice in the event of a data breach. This patchwork of state notification laws and potentially overly broad notification requirements only increase burdens and costs, foster confusion, and ultimately are detrimental to customers. While notifying customers is appropriate, any national notification standard needs to be accompanied by Gramm-Leach-Bliley Act-like data security standards for all participants of the payment system – including merchants – to provide consumers a greater level of protection. Federal banking agencies should continue to set the standard for financial institutions.
Banks Need Timely and Enhanced Breach Notification
It is equally important that community banks receive timely notification concerning the nature and scope of any breach when bank customer information, such as account numbers, may have been compromised.
Regardless of where a breach occurs, banks are stewards of the customer financial relationship and take a variety of steps at their own expense to protect the integrity of customer accounts. These costs should ultimately be borne by the party that incurs the breach. Barring a liability shift, community banks should have access to various cost recovery options.
ICBA recently filed suit against Equifax for a major data breach in 2017
ICBA’s lawsuit asks the U.S. District Court for the Northern District of Georgia to require the credit bureau to compensate community banks harmed by the breach. The complaint cites the myriad damages caused by the breach, such as the costs of customer credit freezes, protective measures to deter and/or prevent fraud, and cancelling and replacing payment cards. For a longer-term solution, ICBA also asks the court to require Equifax to improve its security infrastructure to prevent future data breaches.
Regulators Should Hold Data Safely
Despite issuing rules, regulations, guidance, and examining financial institutions for the safekeeping of customer data, regulatory bodies have also been subject to data breaches. During bank examinations, regulators become privy to, and hold, sensitive bank information, including customer information. Like banks, regulatory agencies have a responsibility to safeguard this sensitive information.
ICBA supports the efforts of the Federal Financial Institutions Examination Council (FFIEC) and the Financial Services – Information Sharing Analysis Center (FS-ISAC) to develop guidance and best practices to counteract emerging threats. Sharing this type of information with federal agencies and financial sector participants helps manage emerging threats and protect critical systems.
Staff Contacts: Jeremy Dalpiaz, Lilly Thomas, Amy Roberti, and Aaron Stetter