By Emily Stephenson
WASHINGTON Feb 6 A top U.S. financial regulator
on Thursday told lawmakers that retailers and other companies
that deal with customer payments should have the same obligation
as banks to report data breaches.
The call for a uniform disclosure regime comes after cyber
criminals managed to pull off a massive theft of customer data
from retailer Target Corp during the holiday shopping
season in late 2013.
That and other high-profile data breaches have reignited a
debate about whose responsibility it is to protect against cyber
crime and how customers should be notified.
U.S. Federal Reserve Governor Daniel Tarullo told the Senate
Banking Committee that regulators require banks to notify
customers and take certain remediation steps when breaches
But strict rules do not exist for retailers and other
players in the electronic payments system, including third-party
"I think you probably need some uniform requirements on
disclosure when breaches have actually taken place," Tarullo
said. "Until the banks and customers are sure that they know
whenever anything has happened with their data, it's going to be
hard for people to respond."
Tarullo did not specifically call for legislation.
Bank groups argued in letters to Congress this week that
retailers' lack of disclosure requirements prevents information
from reaching customers quickly.
"We believe that legislation should be enacted to better
protect consumers by replacing the current patchwork of state
laws with a national standard for data protection and notice,"
the American Bankers Association, Consumer Bankers Association
and other groups said in a letter to lawmakers on Monday.
Federal Deposit Insurance Corp Chairman Martin Gruenberg
said Congress should take a look at updating laws governing
those outside service providers that work with banks.
"I think the gap here is for the nonbanking sector that
needs focus and attention," Gruenberg said at the Senate hearing
The Securities and Exchange Commission said this week it
plans to review asset managers' policies to prevent cyber
attacks to make sure they safeguard against security risks that
could arise from vendors having access to their systems.
Mary Miller, the U.S. Treasury Department's undersecretary
for domestic finance, also told lawmakers on Thursday that it
would be "valuable" if Congress passed comprehensive