Banks Should Keep Your Data as Safe as Your Money

From the New York Times:

Citigroup’s revelation that hackers stole personal information from more than 200,000 credit card holders makes it one of the largest direct attacks on a major bank.

….Details remain scarce, but the disclosure of the Citigroup breach on Thursday quickly turned into a debate on whether the banks and major credit card companies had invested enough money to safeguard the personal information of their customers.

….“We’re not dealing with 14-year-old hacker kids,” said Steve Elefant, the chief information officer at Heartland Payment Systems, which overhauled its security measures after the systems it used to process credit and debit card transactions were hacked in 2008. “We’re talking about 21st-century bank robbers — sophisticated, organized criminal gangs, located mostly in Eastern Europe and the U.S.”

….Big credit card lenders are loath to acknowledge another reason that the breaches keep happening: they are in the business of reducing the financial losses stemming from fraud, not preventing data theft in the first place. As a result, analysts say, they have devoted the bulk of their resources to trying to stop fraudulent transactions from occurring.

Banks might indeed be loath to admit it, but the Times delicately hints at the reason this keeps happening: banks don’t care. And the reason they don’t care is because there are no serious penalties for these kinds of breaches and consumers have no ability to sue over them. What’s more, it’s consumers who end up having to clean up the mess if the hack results in ID theft or some other kind of fraud, not the banks. So why bother?

This is something that really ought to be a bipartisan outrage. Banks and other financial players don’t care very much about this stuff because they don’t have to pay much of a price for things like ID theft and data breaches, but they’d start caring if Congress passed legislation that made them responsible for these costs. That’s what Congress did in 1968 for credit card fraud, and banks started figuring out clever ways to reduce fraud mighty quickly. Make them responsible for data breaches and I’ll bet they’d figure out how to reduce those too. Alternatively, we could just pass some heavy-handed rules, as Europe has done. One way or the other, though, banks should be responsible for the cost of their own mistakes. That’s really not something that Republicans and Democrats should have much reason to disagree about.