RILA Sets Cyber Crime Initiative

The Retail Industry Leaders Association's action comes on the heels of security data breaches at Target and Neiman Marcus.

WASHINGTON — The Retail Industry Leaders Association said Monday it is launching a cyber-security and data privacy initiative.

This story first appeared in the January 28, 2014 issue of WWD.  Subscribe Today.

A massive data breach at Target Corp. followed by another at Neiman Marcus Group Ltd. LLC in the past month has thrust the issue into the spotlight and spawned Congressional probes and hearings.

Sandy Kennedy, president of RILA, said the initiative’s aim is to form a public-private partnership to address expanding cyber threats and to develop industrywide safeguards to protect consumers’ personal data.

“Retailers place extremely high priority on data security and invest tremendous resources to prevent attacks, but cyber criminals are persistent and their methods of attack are increasingly sophisticated,” Kennedy said. “Enhanced security measures help to thwart attacks, but unfortunately, some attacks have been successful, and the resulting incidents have affected millions. By working together with public-private sector stakeholders, our ability to develop innovative solutions and anticipate threats will grow, enhancing our collective security and giving customers the service and peace of mind they deserve.”

RILA’s initiative comes on the heels of two major retail security data breaches.

Target, a RILA member, reported a breach in December that the retailer initially said affected 40 million consumers who purchased goods in stores and potentially had their debit and credit card information stolen. The retailer later said another 70 million consumers may have had personal data such as their names, addresses, e-mail addresses and phone numbers stolen.

The cyber attack prompted an outcry on Capitol Hill and led to Senate Judiciary chairman Patrick Leahy (D., Vt.), who has introduced data privacy legislation, to call a hearing on cyber crime and privacy on Feb. 4, where John Mulligan, Target’s executive vice president and chief financial officer, is slated to testify.

Neiman Marcus disclosed on Jan. 10 that 1.1 million payment cards may have been compromised in its data security breach.

RILA said its initiative will focus on three major components. As it seeks to strengthen security against cyber attacks, the association will form a Retail Cybersecurity Leaders Council comprised of senior retail executives specializing in cybersecurity to improve security systems in the industry by sharing threat information and discussing effective solutions in a “trusted forum.”

RILA said it will lobby lawmakers to develop federal data security breach notification legislation to establish a national baseline and also work with legislators to help develop federal legislation that would strengthen the financial system and “at a minimum” establish mechanisms allowing information sharing between the public and private sectors. The retail group said it will also focus on ways to improve payment security, including eliminating the magnetic strip technology used on credit and debit cards, which a RILA spokesman called “antiquated.”

RILA said it will continue to press for the PIN security and chip-based smart card technology, security measures that branded card networks and issuing banks have used for years in Europe to protect consumers.

Kelly Tackett, U.S. research director at Planet Retail, a global retail data, technology and trend firm, said retailers bear some responsibility in installing more secure and advanced payment card systems.

“Although mobile or proximity payment systems have been on the industry’s radar for much of the past decade, the lack of a clear frontrunner along with consumer concerns about contactless payment security has contributed to a slow uptake,” Tackett said.

Asked why the U.S. has lagged behind Europe and has not moved to upgrade its payment card systems, a RILA spokesman said retailers have been pressing the financial sector for some time to “migrate” to the PIN and chip system being used in Europe.

“The recent breaches highlight the fact that we can’t take a static view of payment security,” he said. “We all agree the mag-stripes are an antiquated security system.”

RILA is also proposing to use its forum with the new initiative to discuss longer-term solutions to stay a step ahead of sophisticated criminals. A final plank of the initiative focuses on addressing consumer privacy.