Twelve months after data from 40 million cards were stolen from Target, beginning a year of escalating hacks of retailers’ payment card systems, not much has changed beyond awareness.
The absence of federal action reflects the difficulty of improving cybersecurity. Lawmakers on both sides of the aisle agree on the goal of improving the security of the nation’s networks, but disputes over even small details can sidetrack progress.
Congressional action has been bogged down in side fights, and industry-led changes have been slow and narrow. Executive action, and power, on the issue is limited, and most administration efforts have been designed to encourage retailers to take extra precautions against theft, rather than apply new regulations.
It’s not that retailers haven’t tried to shore up security this year — but there’s only so much they can do against a determined hacker who constantly develops new ways to strike at computer systems.
Nearly a dozen bills were introduced in Congress in 2014 designed to in some way to protect Americans’ personal information against breaches. One got a hearing, but none were voted out of committee.
In two cases, laws introduced by Sen. Jay Rockefeller and Sen. Patrick Leahy saw zero progress in committees that their sponsor himself chaired.
The bills have been held up by a major feud between retailers and card issuers about who should bear the cost of breaches. Meanwhile, consumers — numb to the news of repeated hacks and reimbursed for fraudulent charges — haven’t applied the grass-roots political pressure necessary to prompt congressional action.
Instead, the White House has aggressively pushed a voluntary set of cybersecurity standards for the private sector, developed by the National Institute of Standards and Technology.
And in October, the president signed an executive order to spur the adoption of chip and PIN card technology in government-issued purchasing and benefit cards. The new chips make cards almost impossible to duplicate and thus cut down on a significant amount of fraud. But the target date for the government and some private sector volunteers’ adoption of the plan is January 2015, after the holiday shopping season concludes.
The executive order applies only to the federal benefit and purchasing cards, and industry-led efforts to better secure the vast majority of payment cards have been painstakingly slow.
Starting next October, however, any party in the payment chain who doesn’t use the new chip technology will be held liable for any breaches. But even that improvement reflects the industry’s inability to move quickly in adopting new safeguards: The move was announced by major card companies starting back in 2011.
“We called  the year of the data breach. Then we had 2014,” said Atlantic Council expert Jay Healey, a former White House and financial sector official. “Now 2014 is … the year of the data breach. We’re not seeing any diminishing of the numbers of stories, so certainly you can imagine that 2015 will also be year of the data breach.”
And the risks escalate with the start of the holiday shopping season, as cybercriminals are very much aware of the flurry of shopping.
“I’d bet that the growth of data breaches during the holiday season is very much tied to the growth of Black Friday and Cyber Monday,” Healey said. “Hunters are more likely to be out when there’s more prey to be hunted.”
So why has so little been done?
Part of the problem is consumers rarely feel the pain of such breaches — most only dealing with the inconvenience of getting a new credit card or contesting fraud for which the banks will ultimately cover the cost.
And the two biggest breaches in recent memory — at Target and Home Depot — both show that customers don’t blame retailers for the data breach, at least for long.
Target fired its CEO and saw its earnings drop in the immediate wake of the breach. But last week, Target’s CFO said opinion surveys show customers “moved past” the breach by midyear.
Months after the Target breach, Home Depot announced an even bigger breach, but the company’s earnings actually went up in the quarter it announced the incident.
A survey conducted for the National Retail Federation found only 18 percent of customers said breaches might affect their holiday shopping habits.
“After Target, I was on the Hill: the members got maybe five phone calls. After the Home Depot breach, I found one member who got one phone call,” said Scott Talbott, senior vice president of governmental affairs for the Electronic Transaction Association.
“I think the public is numb to it,” House Intelligence Committee Chairman Mike Rogers (R-Mich.) said at a financial industry cyber event in September. “We really thought the Target event was going to be a game changer. … The problem is the fight became not about that individual having any exposure, but about who was going to pay for the change of the cards.”
Indeed, despite widespread agreement in Congress and industry that better security is an important goal and legislation could help, most of the lobbying of Congress has been dedicated to finger-pointing between banks and retailers over who is to blame for data breaches and who should be left holding the bag.
And while practically everyone agrees there should be some type of uniform federal data-breach legislation — including the pro-industry Chamber of Commerce — the devil is, as always, in the details.
Outgoing Rep. Lee Terry (R-Neb.) worked for months to try to introduce a data breach bill in the House that never got finalized. A House Republican aide familiar with those negotiations said too many interests wanted a stake in the bill, from the privacy community to the retailers and banks.
An industry lobbyist said the issue is so wrapped up in the retailers-banks fight that it stymies progress.
That battle has also slowed industry adoption of better card security. Banks want retailers to upgrade their terminals to use the new chips, saying it’s not worth issuing the cards if there’s nowhere that accepts them. Retailers say there aren’t enough cards in circulation to justify the expense of upgrading terminals. Both sides are slowly moving forward now.
When asked if the retail vs. banks fight was derailing legislation, National Retail Federation SVP and general counsel Mallory Duncan answered by pointing the finger back at banks.
“It’s hard to have a fight about something that’s not yours,” Duncan said. “If the cards [banks and other issuers] produce are fundamentally flawed, they are eminently hackable, then it’s hard to say it’s others’ responsibility to secure them. … If someone has a trash pile at their house and its attracting vermin, it’s not everyone else’s responsibility to lock their doors.”
On the other side, the National Association of Federal Credit Unions has led a letter-writing campaign to Congress this year demanding new standards for retailers and blaming them for breaches without picking up the cost. Those letters almost always includes the line:
“As long as retailers are more concerned with their bottom line than protecting consumers, no one should expect their personal data to be protected.”
Some in the finance sector have sought a more collaborative approach, and the Financial Services Roundtable pointed to the Merchant-Financial Cyber Partnership formed this year by retail and bank representatives as a good start. But they acknowledged that even as the partnership has made progress, it’s still clear that neither side is willing to compromise sufficiently to enact needed protections.
“I think consensus was entirely achievable, but unfortunately as is far too often the case in this town, politics get in the way,” said Jason Kratovil, FSR vice president of government affairs for payments.
The steady stream of data breaches have left folks wondering what it would take to spur action. By one estimate, nearly 1 billion records were compromised by criminals in 2014.
“If Congress could not pass a data breach law after a week that there are breaches impacting nearly every segment of the population — from naked celebrity pictures, to credit card information from thrift stores and home improvement stores shoppers — I’m not sure when they could,” said Francine Friedman, a senior policy counsel for Akin Gump, referring to a single week in September that saw the Home Depot breach, Apple hack and a Goodwill breach update hit the headlines.
The near certainty that someone will be breached this holiday season does not mean retailers are entirely unprepared. The Target breach and subsequent hacks prompted the boards of some firms to invest more heavily in security, said William Stewart, senior vice president of Booz Allen Hamilton, where he leads the commercial financial services business.
But investments only lower the probability of getting hit, they don’t eliminate it, he added.
The Secret Service, financial services industry’s joint cyberthreat center and retail industry’s cyberthreat center put out a joint advisory earlier this month to raise awareness about the risk and offer some steps to make payments more secure.
But even if companies have taken steps to prepare, the merchant payment system “is more secure, but it is not totally secure,” Duncan said.
“To think that the entire United States payment ecosystem can transform itself completely and entirely and fix all of the payment issues involved in protecting consumers in 12 months or less, is simply not realistic,” said FSR’ Kratovil, adding he believes it’s been a “watershed year” in terms of progress.
Nonetheless, Brian Finch, a partner at Pillsbury’s public policy practice, said that with malware as cheap and available it is, criminals can even hire “cyber mercenaries” to conduct attacks for them — meaning everyone from the big retailers to small shops are vulnerable.
And every new security technology has a flaw, which hackers spend plenty of time and resources finding.
“There’s always going to be penetration — it will be a question of how quickly are they going to catch it,” Finch said. “There’s no eliminating the risk; it’s a question of how well you manage it.”