This week, the New York Times discussed financial liability issues rooted in the increasingly prevalent breaches in cyber security. As cyber attacks on retailers continue to spread in size, severity and frequency, as do the financial losses plaguing victims of cyber security.
Historically, most of the economic burdens of these cyber attacks have been covered by local banks, credit unions, and other financial institutions. However, as hacks become more widespread, banks are now turning to the companies who were hacked in the first place to cover the financial burden.
Several cumbersome federal lawsuits are underway that could re-establish the responsibility precedent for compensating the financial costs incurred by cyber hacking.
The core arguments proposed by the small banks and credit unions filing these lawsuits are the flagrant missteps and the ignorance of retailers to address security issues in spite of warnings from both inside and separate from the companies. Similarly, these cases, specifically the security breaches of Target’s and Home Depot’s data systems, are highlighting inherent weakness of retailers’ security procedures that translate into the breaches going unnoticed for extended periods of time.
One beneficial result of these extensive data breaches is the federally-mandated installment of microchip card-readers in retailers across the country. Microchip EMV cards, introduced to American markets around 2012, offer enhanced security by making it more difficult to counterfeit cards. If retailers do not install the readers by Oct. 1, those companies will be responsible for any cost brought about in those stores by counterfeit cards after the deadline.
However, this implementation is only successful in alleviating cyber hacks if customers have credit and debit cards with the relatively new microchip technology. According to estimates by the American Bankers Association discussed in the article, only 19% of customers have cards with microchips. Since the burden of compensation essentially falls on the party with “the lower level of security”, the banks who do not have these microchip cards are the ones most frequently responsible for reimbursements.
In an era when cyber breaches are becoming more and more commonplace, banks must make the decision between the billions of dollars needed to implement the microchips or the indeterminable costs of security hacks that arise from inferior safety precautions. Alternately, retailers are faced with a similar decision when opting for their insurance policies. Many companies struggle to choose a policy that is not unnecessarily costly but will be substantial enough in the event of a multi-million dollar security hack.
Despite these microchips’ enhanced security, many institutions (both banks and retailers) are still not satisfied with the level of financial safety they ensure. While some individuals are discussing the likelihood of more hacks stemming from online purchases (which are therefore out of the microchips’ protective realm), others propose the implementation of Europe’s model for cards that require both a microchip and a PIN number entered upon each purchase.