The Data Security Act of 2015- What does it mean for banks and merchants?

Posted by Sid Khaitan on Jun 15, 2016 2:57:00 PM
Find me on:


A fiery debate has resurfaced between financial institutions, merchants, and consumer groups regarding the Data Security Act of 2015. The bipartisan bill introduced to Congress as H.R. 2205 by Representatives Randy Neugebauer and John Carney on May 1st, 2015 explicitly states two purposes: “to establish strong and uniform national data security and breach notification standards for electronic data” and “to expressly preempt any related State laws in order to provide the Federal Trade commission with authority to enforce such standards for entities covered under this Act.”

An Overview of the Bill

As an overview, the bill requires individuals, merchants, and other non-government entities that handle sensitive financial account information or nonpublic personal information to implement an information security program and notify consumers, federal law enforcement, payment card networks, and consumer reporting agencies of data breaches containing unencrypted sensitive information. Other salient provisions include directing entities to require third-party service providers (generally point-of-sale) by contract to implement appropriate safeguards, allowing financial institutions to disclose information with account holders regarding breaches, and expanding compliance procedures for financial institutions under the Gramm-Leach-Bliley-Act (GLBA) to businesses and retailers. As highlighted in the GLBA, financial institutions have faced stringent compliance procedures in order to protect confidential information since 1999, so the argument is- why shouldn’t merchants?

Establishing a National Standard for Banks and Merchants

Proponents of the bill argue that despite the exponentially growing number and sophistication of data breaches, no federal standard exists for consumer data protection at the merchant level. Currently, there are little to no regulations on data security for merchants, allowing them to store customer transaction data without any virus or malware protection, firewalls, or data encryption, and as a result, consumer data is left vulnerable to fraud. At the same time, banks and credit unions must bear the cost of reissuing new credit cards and reimbursing consumers when data breaches occur. To make matters worse, financial institutions are not allowed to identify who was responsible for the breach. Effectively, this transforms banks into the culprits even when they have done nothing wrong, and provides little motivation for merchants to protect consumer data.  By establishing a baseline standard for all players in the chain of commerce, supporters of the bill believe that everyone will be held accountable. Also, by dissolving the conflicting patchwork of current state laws and replacing them with a uniform federal code, consumers will avoid confusion, and companies will not struggle with compliance between states.

When asked how small businesses will afford to keep up with proposed regulations of the Data Security Act of 2015, Representative Neugebauer explained the guiding principles the sponsors used in drafting the bill: “First, any national standard must be technology neutral and process specific. This helps ensure the private sector can continue to innovate. Second, we need everyone at the table—all participants in the payment system must equally share in the efforts to protect consumer financial data. As we have learned from too many previous breaches, the system is only as strong as the weakest link. Finally, the standards we establish are scalable and well-tailored to avoid unnecessary burdens on small businesses.”

Opposition from Merchants and Consumer Protection Agencies

On the other hand, merchants and consumer protection agencies disagree. First of all, they argue, although the necessary security procedures are scalable, costs such as onboarding and training of employees to update security standards will be difficult for smaller companies to comply with. Also, by superseding all state laws regarding data breach and notification, the Data Security Act of 2015 would suppress developing state laws that protect an individual’s email accounts, cloud photo storage, geographic location, and electronic communications. Another potential flaw is that the national “harm trigger” standard for breach notifications outlined in the legislation is weaker than that of seven states and the District of Columbia, preventing the states from taking stronger measures against data breaches.

Although the bill was reported on December 9th, 2015 by the Committee of Financial Services with a majority vote of 46 to 9, it remains to be seen if the Data Security Act of 2015 will become a law.

Rippleshot’s signature card fraud detection tool, Sonar, is portfolio, device and fraud type agnostic. Have you checked it out yet? We’d love to show you around. Click below to set up a quick demo:

New Call-to-action

Topics: Industry News, Rippleshot News, Lawsuits, Data Breach Legislation, EMV, Fraud, Cybersecurity