Why Corporate Responsibility for Data Breaches Is Important
Data breaches are increasingly common, but the U.S. government doesn't think they should be. The Data Security Act of 2015, or H.R.2205, is a bill being proposed that would require retailers to follow the same security standards established by the financial industry. While consumers desire better data practices and timely communication if a security breach occurs, some industry professionals still disagree about the role of corporate responsibility.
Retail Industry Opposes Regulation
Some of the primary opponents of the Data Security Act of 2015 are retail establishments. The Retail Industry Leaders Association views the bill unfavorably and says it's unfair to expect retailers to follow the same privacy and security regulations as banks and financial institutions. Similarly, the Consumer Federation of America states the bill would do more harm than good.
The Federation of State PIRGs, a group that supports consumer interests, says H.R.2205 would eliminate state security laws — some of which are stronger than the proposed federal legislation — and prevent state innovation. However, not all states have security laws in place, and the laws that do exist have varying requirements. This can become complicated when a data breach begins in one state but spreads to others.
The National Retail Federation (NRF) says the legislation is red tape that will negatively impact small businesses. The NRF suggests small businesses don't pose the same level of risk as financial institutions and therefore shouldn't be held to the same criteria and regulations. Yet all businesses, regardless of size or industry, are at a growing risk of a data breach.
Financial Industry Promotes Shared Responsibility
Major players in the financial industry launched the "#StopTheDataBreaches" campaign to support H.R.2205, arguing that retailers, networks, processors, and financial institutions should all share responsibility for data hacks. Right now, financial institutions — not retailers — are being asked to pay out. This is how the Wendy's breach is being handled, and financial institutions are feeling the pressure.
The financial industry also recognizes that chip card technology can help fight data breaches, but that focusing on only this method is foolish. Retailers that use chip cards have seen a 26% decrease in counterfeit fraud. However, the retail industry has been slow on this front as well: only 37% of retail companies can process chip cards.
Plus, an increasing number of consumers make online purchases. Chip cards don't provide protection for these transactions, which puts consumer information in jeopardy. Consumers need a comprehensive solution that includes the secure transmission and storage of their personal and financial information at both the physical and digital checkout lines.
Data Security Sways Consumer Loyalty
Many consumers may not be aware of H.R.2205, but they know that data breaches are a risk. As hackers show a shift in interest from financial information to personal information and identity theft, 63% of consumers don't believe retailers are doing enough to protect their data.
Consumers share concerns and negative experiences with friends and family. When a consumer's trust is broken, their loyalty goes as well. They may quit shopping at stores that don't secure data, stop shopping online, or switch to using cash in the store.
Consumer Expectations of Corporate Responsibility
According to consumers, all retailers should take proactive cybersecurity measures, such as keeping up to date on cybersecurity trends. The public wants companies to be transparent about privacy and security practices, particularly those related to sharing and storing personal and financial information. Consumers recognize that a corporate data breach can negatively impact them, and 40% of consumers stop shopping at retailers that have had breaches.
Over 90% of consumers expect to be notified within 24 hours of a data breach, and 60% believe a national notification policy could help them feel more secure. Consumers expect retailers to help them protect their information and to notify relevant third parties in the event of a breach. If given the information and tools they need, consumers are willing to take action — they understand that security is a shared obligation.
But perhaps most of all, consumers want to be treated as people. They want retailers to care about them more than their wallets. Taking the responsible and ethical approach to managing data breaches — whether or not there is a federally mandated standard — will help retailers win back consumers.
