Newsroom

FOR IMMEDIATE RELEASE

NAFCU, Writing to Senate Banking Committee, Urges Action on National Data Security Standards for Retailers

Washington (Dec. 9, 2014) – National Association of Federal Credit Unions (NAFCU) Senior Vice President of Government Affairs and General Counsel Carrie Hunt today urged congressional action on national data security standards for retailers in a letter sent in advance of the Senate Banking Committee's hearing Dec. 10 on cybersecurity.

"It is critical that sensitive personal information be safeguarded at all stages of transmission. Under Gramm-Leach-Bliley, credit unions and other financial institutions are required to meet certain criteria for safekeeping consumers' personal information," Hunt, referring to requirements of the Gramm-Leach-Bliley Act, wrote in the letter to Senate Banking Committee Chairman Tim Johnson, D-S.D., and Ranking Member Mike Crapo, R-Idaho. "Unfortunately, there is no comprehensive regulatory structure akin to Gramm-Leach-Bliley that covers retailers, merchants and others who collect and hold sensitive information."

The full text of the letter follows:

December 9, 2014

The Honorable Tim Johnson The Honorable Mike Crapo
Chairman Ranking Member
Committee on Banking, Housing Committee on Banking, Housing
And Urban Affairs and Urban Affairs
United States Senate United States Senate
Washington, D.C. 20510 Washington, D.C. 20510

Re: Cybersecurity and Data Security

Dear Chairman Johnson and Ranking Member Crapo:

On behalf of the National Association of Federal Credit Unions (NAFCU), the only trade association exclusively representing our nation's federally chartered credit unions, I write in conjunction with tomorrow's hearing, "Cybersecurity: Enhancing Coordination to Protect the Financial Sector." Credit unions serve over 98 million members across the country and we appreciate your interest in fighting against cyber threats in the financial services sector.

In commenting on the importance of cybersecurity just yesterday, National Credit Union Administration Chairman Debbie Matz noted that credit unions will find an active partner with NCUA when it comes to cybersecurity and protecting financial data. While credit unions and other financial institutions have been subject to standards on data security since the passage of the Gramm-Leach-Bliley Act, including having federal regulators to oversee and work with them on these standards, retailers and merchants are not held to the same high standards of data security. As Chairman Matz also noted in her comments, "Retailers should be held to the same high data protection standards. It is time to end the double standard." NAFCU agrees and is hopeful that Congress will also take legislative action to address ongoing data security breaches at our nation's retailers.

NAFCU continues to recommend that Congress make the following priorities in any legislation dealing with cybersecurity and data security:

• Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches resulting from card use be reduced. A reasonable and equitable way of addressing this concern would be to require entities to be accountable for costs of data breaches that result on their end, especially when their own negligence is to blame.

• National Standards for Safekeeping Information: It is critical that sensitive personal information be safeguarded at all stages of transmission. Under Gramm-Leach-Bliley, credit unions and other financial institutions are required to meet certain criteria for safekeeping consumers' personal information. Unfortunately, there is no comprehensive regulatory structure akin to Gramm-Leach-Bliley that covers retailers, merchants and others who collect and hold sensitive information. NAFCU strongly supports the passage of legislation requiring any entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.

• Data Security Policy Disclosure: Many consumers are unaware of the risks they are exposed to when they provide their personal information. NAFCU believes this problem can be alleviated by simply requiring merchants to post their data security policies at the point of sale if they take sensitive financial data. Such a disclosure requirement would come at little or no cost to the merchant but would provide an important benefit to the public at large.

• Notification of the Account Servicer: The account servicer or owner is in the unique position of being able to monitor for suspicious activity and prevent fraudulent transactions before they occur. NAFCU believes that it would make sense to include entities such as financial institutions on the list of those to be informed of any compromised personally identifiable information when associated accounts are involved.

• Disclosure of Breached Entity: NAFCU believes that consumers should have the right to know which business entities have been breached. We urge Congress to mandate the disclosure of identities of companies and merchants whose data systems have been violated so consumers are aware of the ones that place their personal information at risk.

• Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the violation of existing agreements and law by merchants and retailers who retain payment card information electronically. Many entities do not respect this prohibition and store sensitive personal data in their systems, which can be breached easily in many cases.

• Burden of Proof in Data Breach Cases: In line with the responsibility for making consumers whole after they are harmed by a data breach, NAFCU believes that the evidentiary burden of proving a lack of fault should rest with the merchant or retailer who incurred the breach. These parties should have the duty to demonstrate that they took all necessary precautions to guard consumers' personal information but sustained a violation nonetheless. The law is currently vague on this issue, and NAFCU asks that this burden of proof be clarified in statute.

Again, thank you for your interest in enhancing the security of the financial sector and holding this important hearing.NAFCU urges Congress to come together in a bipartisan way and put forward legislative recommendations to hold retailers to the same strict standards of cybersecurity and data security that financial institutions must already adhere to.

On behalf of our nation's credit unions and their 98 million members we thank you for your attention to this important matter. If my staff or I can be of assistance to you, or if you have any questions regarding this issue, please feel free to contact myself, or NAFCU's Vice President of Legislative Affairs, Brad Thaler, at (703) 842-2204.

Sincerely,

Carrie R. Hunt