The war of words between retailers and banks over cyber-security failures has moved to the political stage, as lobby groups for both parties petition the political elite on Capitol Hill for legislative action to curb future data breaches.
The first salvo in the ongoing skirmishes between banks and retailers was fired last week by the Retail Industry Leaders Association, National Retail Federation, and National Association of Convenience Stores, which accused banking bodies of using misleading arguments on data security in the media and before Congress.
Arguing that retailers spend more than $6 billion per annum on cyber-security, the merchant lobby quoted stats from a Verizon report that appeared to show that over the past year, 465 (roughly 34%) of breaches took place at financial institutions, while fewer than 150 (less than 11%) affected retailers. They also noted that retailers share some of the costs of credit card fraud and pay for the issuance of new cards when a breach occurs.
In a joint letter to Congress dated Wednesday, seven banking trade groups have hit back at retailer claims, stating: "While merchants and financial institutions are both the targets of these attacks, a key difference is that financial institutions have developed and maintain robust internal protections to combat criminal attacks and are required by Federal law and regulation to protect this information and notify consumers when a breach occurs that will put them at risk. In contrast, retailers are not covered by any Federal laws or regulations that require them to protect the data and notify consumers when it is breached."
The banks countered that the Verizon report cited by retailers referred to international incidents of cyber-crime rather than US-centric accounts, and instead called on data from the Identity Theft Resource Center which showed that banks accounted for only 6.2% of breaches in the year to November 2014.
The banks are calling on political leaders to pass legislation that will force retailers to tighten up security following a spate of cyber-attacks that has seen hundreds of millions of consumer account compromised over the past year.
"National consumer notification alone - as advocated by the (retailers) November 6th letter - will not solve this problem," the bank lobby insists. "It is only when coupled with the development of strong internal data protection standards and robust oversight that the retail community will find itself in a better position to protect consumers and their confidential personal financial information from criminal abuse."