After a Data Breach: Who’s Liable?
After a breach undergoes investigation, the unraveling of the mess afterwards can take months, and even years to resolve. In addition to incurring costs of the requisite free identity monitoring services, as well as the costs of overhauling security in their IT infrastructure, a victim organization can face multiple class-action lawsuits.
Typically, a few affected individuals may file suit on behalf of the larger group, seeking damages for the exposure of their personal information, which could include anything from medical diagnoses to debit/credit card pin numbers. But banks, credit unions and other financial organizations are hopping on the lawsuit bandwagon to recoup the millions of dollars spent reissuing debit/credit cards to affected customers.
Banks Shoulder Costs
According to a KrebsonSecurity.com article from February listing the Target breach by the numbers, $200 million was the estimated cost to credit unions and community banks that needed to reissue 21.8 million cards. A recent dismissal filing earlier this month shows that Target doesn’t think they should be held liable in a multibillion dollar class-action lawsuit filed against the retailer, as SCMagazine.com reports.
A group of banks filed the claim, arguing that Target was negligent when it came to handling credit and debit card data, leaving them vulnerable to a breach. A separate lawsuit filed early this year and eventually dropped estimated that the financial industry could owe more than $1 billion in remediation costs that include correcting fraudulent charges in addition to card reissuance, as Reuters reported.
A total of 140 lawsuits have plagued Target this year, according to SCMagazine.com, from consumer lawsuits to financial institution complaints and shareholder claims.
When it came to fraud, around 8 percent of debit cards and 4 percent of credit cards were used in the Target breach, according to a survey by the American Bankers Association (ABA). Loss per each fraudulent debit card cost banks, on average, $331 and $530 for each credit card, as AmericanBanker.com reports.
However, the biggest and most often overlooked expense related to card breaches is the burden placed on banking customer service - one unnamed banker reported that the Target data breach caused an influx of calls to their customer call center for several weeks, straining their resources and ability to provide normal servicing.
Banks Take a Stance
Earlier this year, The Independent Community Bankers of America (ICBA) announced that the nation’s community banks had reissued more than 4 million credit and debit cards at major retailers - and that doesn’t even take into account any cards involved in the long list of compromised franchises that followed after the Target and Neiman Marcus breaches, including Home Depot’s speculated 60 million card data breach.
The ICBA has an opinion about the rise in breaches and how they affect banks, stating a few data security principles they advocate for, including:
- The party at fault for a breach should be held accountable for the costs of data breaches
- All participants of the payments system should be subject to data security standards (similar to the Gramm-Leach-Bliley Act)
- National data security breach and notification standards should be implemented to replace current state laws that differ on the topic
- Barriers to threat information-sharing between law enforcement and the financial and retail industry should be removed
- Chip technology alone can’t protect against online purchases and may not have prevented recent retailer breaches
Similarly, the ABA holds a similar stance on the issue:
ABA believes Congress should pass data security legislation that holds retailers and others to high, uniform, nationwide standards for safeguarding sensitive customer information. Banks have had such an obligation to protect their customer's sensitive financial information for years. ABA also is advocating that those responsible for data breaches should be responsible for their costs.
The fact is, (regardless of who is found liable) breaches have very real consequences for not only the affected retail organization, but also for associated banks, as they must grapple with the burdens of fraud, card reissuance and customer service.