Joint Trade Letter to Senate Judiciary Committee for hearing on ‘Preventing Data Breaches’

Re: Hearing Titled “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime”

 

Dear Chairman Leahy and Senator Grassley:

The undersigned organizations representing the financial services industry are writing to commend you for holding this hearing on the recent breaches of sensitive consumer financial and personal information at several major retailers across the country. The financial services industry stands ready to assist policymakers in ensuring that robust security requirements apply to all participants in the payments system, and we respectfully request that this letter be made part of the record for your hearing.

In all data breaches, including the recent retailer breaches, the financial services industry’s first priority is to protect consumers from fraud caused by the breach. Banks and credit unions do this by providing consumers “zero liability” from fraudulent transactions in the event of a breach. Although financial institutions bear no responsibility for the loss of the data from a retailer’s system, they assume the liability for a majority of the resulting card-present fraud. In most instances, financial institutions have historically received very little reimbursement from the breached entities – literally pennies on the dollar.

For example, virtually every bank and credit union in the country is impacted by the Target breach. Our understanding is that the breach affects up to 40 million credit and debit card accounts nationwide, and also has exposed the personally identifiable information (name, address, email, telephone number) of potentially 70 million people. To put the scope of the breach in perspective, on average, the breach has affected 10 percent of the credit and debit card customers of every bank and credit union in the country.

The Target breach alone is estimated to cost financial institutions millions of dollars to reissue cards and increase customer outreach, with substantial longer-term costs associated with fraud and mitigation efforts to limit the damage to customers. Although a variety of factors can go into the calculation, for banks and credit unions the cost of reissuing cards can range from $5 up to $15 per card, and a preliminary survey of banks impacted by the Target breach conducted by the Consumer Bankers Association indicated that more than 15.3 million debit and credit cards have been replaced to date. The numbers of cards issued, along with the total costs, are nearly certain to rise, especially as the extent to which other retailers have been breached becomes more certain.

To read the full Comment Letter, please download the PDF.