As reported in today's Wall Street Journal, recent high-profile data breaches have forced banks and retailers to decide who pays to reissue credit cards compromised by data breaches. Banks -- most notably, community banks and credit unions -- assert that retailers should shoulder such costs since their system failures caused the loss. In turn, retailers argue that banks should adopt higher security protocols to guard against corruption and reduce the need for card replacement.
Per the WSJ article, the replacement cost for card issuers -- who have generally borne this burden -- is at least $10 a card. So, when 40 million debit- and credit-card accounts are compromised in a data-breach incident, as was the case with Target, the replacement costs can be staggering. In the past, banks have sued to recoup such costs, sometimes resulting in settlements. For example, T.J. Maxx (through its parent) settled with VISA after a 2007 data breach and covered a portion of its replacement costs. It also settled similar class-action claims brought by community banks to cover a portion of replacement costs.
For better or worse, at the banking industry's urging, the issue may be decided by Congress as the Senate Banking Committee is expected to hold hearings on the issue. As noted by the WSJ, "Sen. Robert Menendez (D., N.J.), a senior member of the Senate Banking panel, which also has jurisdiction over legislation that impacts the financial-services industry, said in a statement that "retailers who fail to take the necessary steps to protect a customer's sensitive personal information should be held accountable." Mr. Menendez said he is considering additional legislative fixes "that are necessary to protect consumers' sensitive data," including giving the Federal Trade Commission the ability to impose fines or penalties on companies at fault."