A top U.S. financial regulator on Thursday told lawmakers that retailers and other companies that deal with customer payments should have the same obligation as banks to report data breaches.
That and other high-profile data breaches have reignited a debate about whose responsibility it is to protect against cyber crime and how customers should be notified.
U.S. Federal Reserve Governor Daniel Tarullo told the Senate Banking Committee that regulators require banks to notify customers and take certain remediation steps when breaches happen.
But strict rules do not exist for retailers and other players in the electronic payments system, including third-party processors.
"I think you probably need some uniform requirements on disclosure when breaches have actually taken place," Tarullo said. "Until the banks and customers are sure that they know whenever anything has happened with their data, it's going to be hard for people to respond."
Tarullo did not specifically call for legislation.
Bank groups argued in letters to Congress this week that retailers' lack of disclosure requirements prevents information from reaching customers quickly.
"We believe that legislation should be enacted to better protect consumers by replacing the current patchwork of state laws with a national standard for data protection and notice," the American Bankers Association, Consumer Bankers Association and other groups said in a letter to lawmakers on Monday.
Federal Deposit Insurance Corp Chairman Martin Gruenberg said Congress should take a look at updating laws governing those outside service providers that work with banks.
"I think the gap here is for the nonbanking sector that needs focus and attention," Gruenberg said at the Senate hearing on Thursday.
The Securities and Exchange Commission said this week it plans to review asset managers' policies to prevent cyber attacks to make sure they safeguard against security risks that could arise from vendors having access to their systems.Mary Miller, the U.S. Treasury Department's undersecretary for domestic finance, also told lawmakers on Thursday that it would be "valuable" if Congress passed comprehensive cybersecurity legislation.