David Pommerehn

In the aftermath of the Target breach, the Consumer Bankers Association surveyed its 58 member banks and determined the cost to those banks has already surpassed $170 million in losses. While the CBA doesn't have an official stance on lawsuits that have been filed by banks against recently breached retailers, it does support banks' rights to recover losses and expenses associated with breach recovery, says David Pommerehn, the CBA's senior counsel and assistant vice president.

Pommerehn says losses associated with breaches should be reimbursed when the breaches are not the fault of the impacted issuers.

"Some banks have chosen to go through a legal route, such as filing a lawsuit," he says in an interview with Information Security Media Group (transcript below). "Others will reach directly to merchants to be reimbursed for costs."

But Pommerehn says more dialogue about the accountability for breaches needs to be ongoing between banking institutions and merchants.

"If merchants are responsible for breaches, we believe that the re-issuance cost should be their responsibility to cover," he says.

During this interview, Pommerehn also discusses:

Why the Target breach is getting more attention than previous retailer breaches; The survey the CBA conducted with their member banks in the aftermath; and Why retail breaches are expected to get more costly.

Pommerehn's expertise covers a wide range of legal, legislative and regulatory issues associated with consumer financial services. At the CBA, he focuses on deposits and payment issues, as well as small business banking issues. Before joining the CBA in 2008, he served as a defense attorney for the State of Maryland and as counsel to several not-for-profit financial services companies.

Cost of Target Breach

TRACY KITTEN: Target's breach has gotten the nation's attention, but it's not the largest card breach the financial services industry has ever seen. Why, then, has Target's breach shaped up to be one of the industry's most costly?

DAVID POMMEREHN: I would correctly point out that the breach was on the retail side, not on the financial institution side. But in recent years the correlation between fraud and breach victims has increased, whereas a couple of years ago it might have been one in four. Today's numbers are more about one in three of actual breached card information, and would be used in actual fraudulent charges. The more you have in actual fraudulent charges and costs, the more you're going to have in an overall breach, and the more costly it's going to be to the industry as a whole. The Target breach, while certainly not the largest in history, was fairly large, an estimated 110 million card users were affected, which was national in scope. There [are] a lot of folks out there that were affected by this, again the correlation between the actual fraud victims for breached information has increased. You put all those things together and the actual cost of a breach like Target is quite large. Again, this is a significant breach, if you really look at the breaches in the past year or so, Target by far is one of the largest.

CBA Survey

KITTEN: The CBA notes that so far approximately 17.2 million cards have been re-issued by its member banks because of breaches. How did the CBA come up with those figures?

POMMEREHN: We surveyed member banks from some of our largest down to our small asset-size and asked them what the number looked like for them, and then we approximated that number and came up with an average of cards that were affected by this based on our membership side. One of the questions we asked them was, "How much did this cost per card to replace and all the things that go along with it?" The average amount came out to about $10 per card, which of course includes actually replacing the plastic and sending that plastic to the customer, but also includes other things such as a higher increase in call center activity, customer outreach to explain the parameters around the breach, and what the bank is doing. With smaller institutions it could be quite large, they don't have the economy of scale to bring down those costs, so the more cards that were breached, the higher the cost are going right now.

KITTEN: How many member banks does the CBA have?

POMMEREHN: Currently CBA has 58 members.

KITTEN: Have all of your banking institution members been affected by the Target breach?