Sen. Claire McCaskill (D-Mo.) said last week in a hearing to examine the Target data breach that policymakers need to address confusion surrounding the costs of data breaches and how losses are absorbed.
McCaskill, a member of the Senate Commerce, Science and Transportation Committee, which held the hearing last Wednesday, said companies that hold on to consumers’ personal information are not held liable for the costs that are incurred as a result of a data breach or cyberattack.
“I don’t think people understand… a lot of the costs associated with this breach—in fact the majority—fall on credit unions and local banks instead of Target,” McCaskill said. “Interchange fees were $19 billion before the Durbin Amendment, and now they are less than $10 billion. So retailers got almost $10 billion extra as a result of those prices going down. I’m not saying that’s good or bad, but I’m trying to say it’s important the risk be borne by those who must engage in the activity to protect.”
McCaskill told Target Vice President and CFO John J. Mulligan, one of the committee’s witnesses at the hearing, that a “clarification of where the risk falls” is important to ensure that risks are aligned with “the right incentives in the free market.”