Who foots the bill in data breaches?

Don Ackerman: Credit unions shouldn’t bear responsibility of data breaches that occur at merchants.

The risk of exposed personal information is gaining momentum as consumers’ lives become more centered around the use of technology.

Recently, Jack Henry & Associates Inc. (Nasdaq: JKHY) disclosed a data breach at a digital financial software provider it acquired earlier this year called Geezeo. The data breach occurred in May, though officials reported the target was a data file from 2012 and that Jack Henry and Geezeo operations had not been impacted.

In September, DoorDash, a food delivery company, confirmed that a data breach, which also occurred in May, impacted 4.9 million customers, workers and merchants. The hackers gathered names, addresses, emails, passwords and phone numbers.

When fraudsters steal personal information in data breaches, who’s responsible for the financial burden? Officials with financial institutions say they take the brunt of it, and there’s an ongoing conversation about whether that’s a fair reality.

Don Ackerman, president of TelComm Credit Union, said the burden can be thousands of dollars at a time for a financial institution.

“The difficulty comes when accountholders use their cards at various merchants, and not every merchant has their computer system protected to the level it needs to be,” Ackerman said. “Those losses frequently come back to the financial institution, as far as the transaction losses we have to eat and the cost of the cards we have to reissue.”

TelComm is sending emails to its credit union members about the issue and urging them to reach out to legislators to help shift the financial responsibility to merchants.

Ackerman said the credit union has had to incur losses of nearly $30,000 in the past year. Their staff has also had to reissue cards to credit union members, which can be costly and time consuming.

Where are breaches taking place?
While the number of data breaches declined from 2017 to 2018, the business sector saw the highest number of data breaches and exposed records in 2018 out of all of the recorded industries, according to data from the Identity Theft Resource Center. The nonprofit ITRC tracks breaches in the health care, government, educational, financial and business sectors.

ITRC CEO Eva Velasquez said hackers are getting better at stealing a greater amount of information at a time.

The San Diego-based center recorded over 181.6 million records exposed in 2017 and 415.2 million records exposed in 2018 during data breaches in the business industry. The sector includes breaches related to nonprofits, retailers, grocery stores, hotels, airports, accounting, IT services, insurance companies, manufacturing and construction, according to Alex Achten, communications specialist for the ITRC, which supports victims of identity theft and broadens public education on related topics.

TelComm’s Ackerman said a lot of data compromises happen online.

“One thing cardholders can do is not store their confidential card information on internet merchant lines,” he said.

Scott Jones, owner of cybersecurity firm Liberty Technical Solutions LLC, agreed.

“Unfortunately, it’s the times we’re in now,” Jones said. “This requires training people to use more complex passwords.”

He said most people don’t know how to properly store or protect their information online. That’s why financial institutions and merchants should issue two-factor authentication, he said, referring to a multistep process where an account user must prove they’re opening their own account.

But data breaches can occur in many ways, Jones said. Personal data can be accessed by hackers if consumers click on a spam email or utilize a payment system with unencrypted software. He said personal information also can be found on the dark web.

Roughly 52% of data breach attacks are done through hacking, according to the 2019 Verizon Data Breach Investigations Report. Over 30% are conducted via social security attacks, and 28% involve malware.

The data also show 43% of breaches involved small-business victims, while only 10% were breaches of the financial industry.

Who’s financially responsible?
Credit union executive Ackerman said merchants should bear more of the financial responsibility in these situations when the breach occurs outside of the financial institution.

Amy McLard, executive director of advocacy at Heartland Credit Union Association, suggests that every party involved in the payment system should share the responsibility in protecting consumer data, but the entity that incurs the breach should bear the financial burden.

“Online transactions are where a lot of faults take place. If all parties involved have equal skin in the game to protect consumers, consumers win,” McLard said. “When your financial institution is paying for a data breach that happened at a store, you’re losing because that money comes from somewhere. If your credit union has to cover the cost, you are paying for it.”

The ITRC’s Velasquez said although merchants don’t cover the financial burden of the breach, they pay financially in the sense of a reputational hit.

“There are consequences when they have a data breach that does affect them financially beyond payment,” she said. “It’s the negative conversation that the public has when they are affected by breaches.”

Craig Shearman, spokesman for the National Retail Federation, said retailers alone have spent millions on cybersecurity.

“The problem is that the banks are the ones that run the card system, and they continue to offer a system that is weak on security,” Shearman said. “Most data breaches actually happen at banks or obscure companies in between.”

Shearman said 80% of retailers have point-to-point encryption. This is provided through a third-party solution provider that encrypts data from the point of interaction, like a credit card swipe, until the data reaches the secure database, according to the Payment Card Industry Security Standards Council. The council also has created a point-to-point encryption standard that requires vendors and third-party providers to ensure their data solutions can meet necessary requirements to protect payment card data.

Jones said that means it’s required that vendors store consumer credit card information in a properly encrypted form. But it’s not just the merchants and third-party credit card companies that need to be on alert, he said.

“Everyone needs to up their game,” Jones said. “Financial institutions need to implement two-factor authentication as a minimum … and individuals need to be more vigilant.”

Ackerman said TelComm offers a service to members called Card Valet, which alerts cardholders through their mobile device to when, where and how their cards are being used. Ackerman said the sooner a financial institution learns of fraudulent activity, the better.

“Once that fraudster gets into that information, they can … produce a new fraudulent card. By the time we’re notified of it, there’s transactions already coming through,” Ackerman said. “We quickly react to try to cut our losses.”