Newsroom

April 24, 2012 – NAFCU President and CEO Fred Becker on Monday urged House leaders to keep the protection of consumers' personal financial information in mind as they work toward a vote on a bill addressing the sharing of information about cyber threats.

Becker said the risk of a data breach remains a serious problem for consumers and businesses. Many, he said, don't realize that their every use of a plastic card for payment – at a store register or online – exposes them to potential theft of their financial information and their identity. "Consumers trust that entities collecting this type of information will, at the very least, make a minimal effort to protect them from such risks," he said.

The House is poised this week to begin consideration of H.R. 3523, The Cyber Intelligence Sharing and Protection Act. The package addresses the sharing of cyber threat information between the intelligence sector and the private sector. It's a worthwhile issue, Becker said, but the issue of consumer data security deserves to be addressed.

"NAFCU is pleased to see the House debate the issue of cyber security, but [we] urge you not to forget the issue of data security," the NAFCU president wrote.

Becker, calling data security a "common-sense, bipartisan" issue, noted that credit unions and other financial institutions are already subject to a data security process under the Gramm-Leach-Bliley Act. Retailers and others that handle sensitive personal financial information are not, however.

Becker urged lawmakers to consider specific data security measures as they move forward on the cyber threat legislation. He recommended that:

• breached entities be held accountable for costs of data breaches on their end;
• any entity responsible for storing consumer data be required to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act;
• merchants be required to post their data security policies at point of sale if they take sensitive financial data there;
• notification now provided to account servicers or owners also be provided to financial institutions with respect to associated accounts;
• Congress mandate the disclosure of identities of businesses whose data systems have been violated, so consumers know where their personal information is at risk;
• regulators enforce the current prohibition against the retention of sensitive personal data (a prohibition which is regularly violated); and
• the merchant or retailer incurring the breach be required to demonstrate that they took all necessary precautions to guard consumers' personal information but sustained a violation anyway.