In the aftermath of the Target breach, the Consumer Bankers Association surveyed its 58 member banks and determined the cost to those banks has already surpassed $170 million in losses. While the CBA doesn't have an official stance on lawsuits that have been filed by banks against recently breached retailers, it does support banks' rights to recover losses and expenses associated with breach recovery, says David Pommerehn, the CBA's senior counsel and assistant vice president.
Pommerehn says losses associated with breaches should be reimbursed when the breaches are not the fault of the impacted issuers.
"Some banks have chosen to go through a legal route, such as filing a lawsuit," he says in an interview with Information Security Media Group (transcript below). "Others will reach directly to merchants to be reimbursed for costs."
But Pommerehn says more dialogue about the accountability for breaches needs to be ongoing between banking institutions and merchants.
"If merchants are responsible for breaches, we believe that the re-issuance cost should be their responsibility to cover," he says.
During this interview, Pommerehn also discusses:
- Why the Target breach is getting more attention than previous retailer breaches;
- The survey the CBA conducted with their member banks in the aftermath; and
- Why retail breaches are expected to get more costly.
Pommerehn's expertise covers a wide range of legal, legislative and regulatory issues associated with consumer financial services. At the CBA, he focuses on deposits and payment issues, as well as small business banking issues. Before joining the CBA in 2008, he served as a defense attorney for the State of Maryland and as counsel to several not-for-profit financial services companies.
Cost of Target Breach
TRACY KITTEN: Target's breach has gotten the nation's attention, but it's not the largest card breach the financial services industry has ever seen. Why, then, has Target's breach shaped up to be one of the industry's most costly?
DAVID POMMEREHN: I would correctly point out that the breach was on the retail side, not on the financial institution side. But in recent years the correlation between fraud and breach victims has increased, whereas a couple of years ago it might have been one in four. Today's numbers are more about one in three of actual breached card information, and would be used in actual fraudulent charges. The more you have in actual fraudulent charges and costs, the more you're going to have in an overall breach, and the more costly it's going to be to the industry as a whole. The Target breach, while certainly not the largest in history, was fairly large, an estimated 110 million card users were affected, which was national in scope. There [are] a lot of folks out there that were affected by this, again the correlation between the actual fraud victims for breached information has increased. You put all those things together and the actual cost of a breach like Target is quite large. Again, this is a significant breach, if you really look at the breaches in the past year or so, Target by far is one of the largest.
KITTEN: The CBA notes that so far approximately 17.2 million cards have been re-issued by its member banks because of breaches. How did the CBA come up with those figures?
POMMEREHN: We surveyed member banks from some of our largest down to our small asset-size and asked them what the number looked like for them, and then we approximated that number and came up with an average of cards that were affected by this based on our membership side. One of the questions we asked them was, "How much did this cost per card to replace and all the things that go along with it?" The average amount came out to about $10 per card, which of course includes actually replacing the plastic and sending that plastic to the customer, but also includes other things such as a higher increase in call center activity, customer outreach to explain the parameters around the breach, and what the bank is doing. With smaller institutions it could be quite large, they don't have the economy of scale to bring down those costs, so the more cards that were breached, the higher the cost are going right now.
KITTEN: How many member banks does the CBA have?
POMMEREHN: Currently CBA has 58 members.
KITTEN: Have all of your banking institution members been affected by the Target breach?
POMMEREHN: That is hard to say. The Target breach was national in scope and it is entirely possible that most of our members had at least some of their cards compromised by it. It really is going to be bank-specific. Some of our members include [larger] bank[s], and it goes down to asset sizes around $10 billion, and some lower. They have different size portfolios, and from what we understand the outcomes of the Target breach have affected different geographies a little more than others. I can't tell you with complete certainty that every single member of ours was affected by it, but I think it is entirely possible and likely that they were given the national scope of the Target breach.
KITTEN: What would you say was the most costly to replace?
POMMEREHN: Again, it's going to be different for each institution. Some institutions produce or issue their own credit cards, and so they carry their own card portfolios and certainly are going to incur cost there if they have large ones. But I would say that it is likely more expensive for our member banks to replace the debit side due just to the fact that more customers have those kinds of cards. A lot of our member banks simply just re-issued all of the affected cards. If you think about a checking account and the debit card that is associated with that, most customers have to replace that card. Whereas with a credit card, not everybody carries one and you don't have to replace everyone for every customer that you have that has a checking account in your institution. All in all, I would say the debit side of it is slightly more expensive to produce simply because of the volume.
KITTEN: How much fraud have banking institutions had to cover so far?
POMMEREHN: It really does depend on the institution itself and the size of their portfolio, whether it is a debit card or a credit card. The more this plays out, the clearer it becomes of what the actual cost of the fraud is. Whether or not the cards that were breached, the data that was breached, is actually being used for fraudulent charges, and how much those charges are. We won't really know those numbers for some time now. It will have to play out over the next couple of months to really see exactly where the fraudulent charges come down to. We would expect our banks have been very diligent in responding to this. We're talking about a 30- to 45-day response period right now, and our banks have blanketed their customers with new cards, new information, reached out to them, and manned a call center. I would expect that for the majority of banks involved here, they'll have a lot of these cases closed by February and March. You'll see some fraud cases probably lasting through March, and maybe some additional ones popping up, but over the next few months you would probably see this drop off due to the actions the banks are taking to replace and protect their customer's information.
Advice to Banks
KITTEN: What advice would you offer to banking institutions, where fraud protections, detection and fraud-loss recovery are concerned, as they relate to Target and other breaches?
POMMEREHN: Banks are already pretty well versed in the issues surrounding fraud and fraud prevention. We've been doing this for a long time. We have some of the most sophisticated fraud detection systems available in the industries. We are constantly working to innovate and improve our systems. They're checked, double checked, and it's important to note that our customer's information and safety in using our products is one of our top priorities, and that there is actually very little breach from financial institutions and a lot of the breach comes from retailers. So we diligently have put in systems within financial institutions to help protect our customer's information and we'd like to work with merchants to do the same.
Fraud Detection Systems
KITTEN: How would you work with merchants to help them enhance their fraud detection systems and fraud prevention systems?
POMMEREHN: No retailers can become members of the CBA, it would have to be a chartered bank banking institution to become or a credit union to become a member of CBA. But certainly there is a lot of dialog that has come through this, between banking institutions, merchants and retailers. Our member banks obviously work with a lot of these retailers, and they often are banks of the retailers and the merchants. We need to just continue that dialog and make sure that we're coming to good solutions that benefit the consumer.
Lawsuits against Retailers
KITTEN: What is the CBA's stance regarding lawsuits seeking to recover losses suffered?
POMMEREHN: I don't think we have an official stance with regards to lawsuits. I can tell you that we do fully support efforts to be reimbursed for costs that are associated with breaches that are of no fault to the financial institution or the issuers. Some banks have chosen to go through a legal route such as following a lawsuit. Others will reach directly to merchants to be reimbursed for cost, but this is part of that dialog and having accountability for breaches that occur within certain institutions. So if merchants are responsible for breaches, we believe that the reissuance cost should be their responsibility to cover.
KITTEN: What more would the CBA like to see happen, from a legislative perspective?
POMMEREHN: There are a few things that we would like to see happen, and as this plays out we'll get more information and see the progression of this. We'll be able to better ascertain what exactly needs to be done to help protect customer information going forward, but I can point to a few things that we would like to see at this point. That would be, first and foremost, to establish a national standard for security breach notification. Right now we have a fairly piecemealed system which is state by state. It would be nice to have a standard notification system that can be utilized by both merchants and financial institutions to make sure that customers are notified in a timely manner about breaches.
We would also like to see federally mandated standards for merchants to comply with when it comes to protecting their customer's information. Banks have standards in place currently that are dictated to us mainly through the Gramm Leach Bliley Act, but we had a minimum set of standards that we have to adhere to and think that merchants should have a similar set of standards applied to them. There should be better sharing of threat information. There shouldn't be unnecessary legal or other barriers to effect threat information being shared between law enforcement and those responsible for breaches. Lastly, I would say that we would like to see is when there are costs that our incurred through breaches, that the responsible parties cover those costs; such as cost of reissuing cards and making customers [aware]. I think those are some basic points that we would like to see legislation cover moving forward. I can't stress enough that as this unfolds, more details become available, it will become clearer which routes we need to take to better secure customer non-public information. We're a part of that process and we continue to work with Capitol Hill and with the parties involved to make sure that we come to the best place possible.
KITTEN: Are there any final thoughts about these recent retail breaches, the costs involved, or perhaps some of the next steps the banking institutions need to take, you'd like to share?
POMMEREHN: The banking institutions have systems in place currently. We're very diligent about our systems, we double check them constantly. We have mandated minimums that we have to adhere to. Our customer data security is the utmost priority. We want to work with all the parties here, with the merchants, Capitol Hill, and Congress to make sure that we come to a place where we can ensure that customers can go out and use their cards without the fear that their data is going to be compromised. Let's face it; the card is king these days. Very few people use cash. ... Hackers are out there coming up with innovative ways to hack systems and break firewalls. We have to be one step ahead of them. That is going to take all the players in the system to really effectively combat that threat and that includes merchants. So I would say moving forward, working with the merchants and working with Capitol Hill is a top priority as a follow-up from the Target breach [as is] responding to our customers and ensuring that their data is secure.