Moving the Onus of Data Breaches
I’m feeling lucky today. On the same day that New York credit unions are going to the Legislature to advocate for stronger data protections, among other things, news reports explain why small credit unions and banks are objecting to a proposed settlement between MasterCard and Target in relation to Target’s data breach.
To his credit, the Attorney General has made data breach legislation one of his main priorities. Recently, the Legislature introduced bills at his request (A.6866/S.4887) that would require all businesses in New York State to adhere to certain basic industry standards. For example, businesses that comply with Gramm-Leach-Bliley privacy protections would be in compliance with the AG’s standards. Since banks and credit unions have had to meet basic privacy protections for years, the main effect of the AG’s proposal would be to apply these standards to merchants. This is, of course, a good thing. But what happens when the merchants don’t live up to their end of the bargain?
Which brings us to today’s news. As explained in this article in the Wall Street Journal, small banks and credit unions are objecting to the proposed MasterCard settlement negotiated with larger banks on the grounds that it doesn’t provide adequate redress to smaller institutions. You may be aware that credit unions have joined class action law suits seeking damages against Target and other retailers for costs related to the breach. One of the main reasons why the Target lawsuit has legs is because Target is headquartered in Minnesota. In addition to being the land of 1000 lakes, it is also one of the first states in the nation to have a statute enabling financial institutions to recover for the cost of data breaches caused by merchants. These costs include the expense of reissuing new debit and credit cards.
The AG’s bill includes no similar rights for New York banks and credit unions. If the legislation ultimately includes such a right, it would be a pretty fair deal for financial institutions and consumers. Data would be better protected and the fear of litigation would put some teeth behind this bill. In contrast, unless credit unions and banks get a statutory right to recover for the costs of breaches for which they are not responsible, costs of these data breaches will not be shouldered by the parties most responsible. This is particularly important for credit unions since, as the article points out, data breaches are more costly for smaller institutions.