Updated November 2013
Data security breaches are a serious
problem for both consumers and businesses. Financial institutions, such as
credit unions, also bear a significant burden as they incur steep losses in
order to reestablish member safety after a data breach occurs. The number and
scope of data breaches are significant, and the damage realized may surprise
those who have not been intimately involved.
For example, in 2009, the Heartland
Payments Systems, a company that processes card payments for restaurants,
retailers, and other merchants, disclosed that the computer the company used to
process transactions had been compromised. Customer records, for over 100
million payment card transactions per month at nearly 175,000 merchants, were
stolen. Millions of American consumers instantly became victims. Other infamous
data breaches include the estimated 4.2 million credit and debit card numbers
stolen from Hannaford Bros. Grocery Stores in the New England area in 2008 and
retail giant TJX losing 94 million customer records in 2007.
On May 11, 2011, Michaels Stores,
Inc. notified its customers that more than 90 terminals in 20 different states
had been compromised in a debit card PIN scheme. Tens of thousands of
customers' debit cards may have been compromised and the scheme has been linked
to hundreds of thousands of dollars in fraudulent withdrawals in California
alone. The emotional toll that a data breach can take on consumers is immense.
Information and identities can be stolen, fraudulent account charges can occur,
and credit scores can be damaged. Along with consumers, small financial
institutions like credit unions also face financial burdens when fraud is
incurred. Credit unions are often forced to charge off fraud losses, some of
which stem from the failure of merchants to protect sensitive financial
information about their customers or the illegal maintenance of such
information in their systems.
In cases of data breaches or fraud,
as demonstrated by the Michaels Stores breach mentioned above, it is the credit
union that must notify their members, issue new cards, change account numbers,
and perform a host of other activities, all of which cost both time and money.
The merchant who failed to protect the data is often undisclosed and unknown to
the consumer and does not pay to make the consumer whole. Interchange fees have
historically been one way in which the costs of such breaches were offset by
merchants. However, recent Congressional action to limit debit interchange fees
does not recognize this problem and will result in heavier burdens falling on
financial institutions and consumers. Educating lawmakers about the
significance of debit interchange to help offset data breaches at the hands of
retailers is critical.
Meanwhile, as cases of fraud become
more prevalent, costs that credit unions pay for insurance, prevention
services, and staff to handle member concerns continues to grow. As the volume
of plastic card usage increases, so does the risk of data breaches and fraud.
Despite the fact that they are
rarely the source of significant data breaches, credit unions and other
financial institutions are still mandated to protect data consistent with the
provisions set out in the Gramm-Leach-Bliley Act. In addition to complying with
Gramm-Leach-Bliley, credit unions have been known to go above and beyond in
helping their members navigate the steps they should take if they have been the
victims of fraud. It should be noted that there is no comprehensive regulatory
structure similar to Gramm-Leach-Bliley for retailers, merchants, or others who
collect or hold sensitive information.
In February of 2013, the NCUA alerted
credit unions about "chatter" that had been detected about potential
widespread attacks possibly planned for May, and identified policies and
procedures to guard against DDoS attacks in a credit union risk alert (13-Risk-01). Although it was not possible to assess the
veracity of the threat, NCUA wanted to ensure that credit unions were aware and
prepared. The alert noted that the sophistication of such attacks require
the vigilance of credit unions offering Internet-based financial services.
DDoS attacks are attempts to disrupt or suspend online
service by saturating a target's network with external communication requests
to overload its server. If a credit
union is subject to this type of an attack, it will see a large spike in
Internet traffic to its website from one or more IP addresses and their website
will become unresponsive.
Also in February, President Obama
signed an Executive Order addressing cybersecurity issues. The
"framework" of the order allows intelligence to be gathered on
cyberattacks and cyberthreats to privately owned critical national
infrastructure — such as the private defense sector, utility networks, and the
banking industry — so they can better protect themselves, as well as the
general US population, the economy, and other nations that are reliant on US
support. Read additional information about the Executive Order.
In June Senator Toomey
(R-PA) introduced S.1193, the Data
Security and Breach Notification Act of 2013, which among other provisions, would require
companies to notify consumers promptly if their personal information was
stolen. Given the reputational risk
credit unions often times suffer when personally identifiable information of
their members is lost at the hands of outside parties, NAFCU appreciates
Senator Toomey’s efforts as a step in the right direction. NAFCU has suggested
several ways to strengthen this measure, and included these suggestions in the
comprehensive Five-Point Plan for Regulatory Relief rolled
out at the beginning of this Congress.
The items NAFCU would like to see addressed in any comprehensive data
security bill include:
- Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches
resulting from card use be reduced. A reasonable and equitable way of
addressing this concern would be to require merchants to be accountable
for costs of data breaches that result on their end, especially when their
own negligence is to blame. The entity that is best situated to mitigate
the risk to sensitive data should be the liable party when a breach
- National Standards for Safekeeping Information: It is critical that sensitive personal information be
safeguarded at all stages of transmission. Under Gramm-Leach-Bliley,
credit unions and other financial institutions are required to meet
certain criteria for safekeeping consumers' personal information.
Unfortunately, there is no comprehensive regulatory structure akin to
Gramm-Leach-Bliley that covers retailers, merchants, and others who
collect and hold sensitive information. NAFCU strongly supports the
passage of legislation requiring any business entity responsible for the
storage of consumer data to meet standards similar to those imposed on
financial institutions under the Gramm-Leach-Bliley Act.
- Data Security Policy Disclosure: Many consumers are unaware of the risks they are
exposed to by providing their personal information. NAFCU believes that
this problem can be alleviated by simply requiring merchants to post their
data security policies at the point of sale if they take sensitive
financial data. Such a disclosure requirement would come at little or no
cost to the merchant, but would provide an important benefit to the public
- Disclosure of Breached Entity: NAFCU believes that consumers should have the right to
know which business entities have been breached. We urge Congress to
mandate the timely disclosure of identities of companies and merchants
whose data systems have been violated, so consumers are aware of those
that place their personal information at risk.
- Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the
violation of existing agreements and law by merchants and retailers who
retain payment card information electronically. Many entities do not
respect this prohibition and store sensitive personal data in their
systems, which can be breached.
- Notification of the Account Servicer: The account servicer or owner is in the unique
position of being able to monitor for suspicious activity and prevent
fraudulent transactions before they occur. NAFCU believes that it would
make sense to include entities such as financial institutions to the list
of those to be informed of any compromised personally identifiable
information when, associated accounts are involved.
- Burden of Proof in Data Breach Cases: In line with the responsibility for making consumers
whole after they are harmed by a data breach, NAFCU believes that the
evidentiary burden of proving a lack of fault should rest with the
merchant or retailer who incurred the breach. These parties should have
the duty to demonstrate that they took all necessary precautions to guard
consumers' personal information, but sustained a violation regardless. The
law is currently vague on this issue, and NAFCU therefore asks that this
burden of proof be clarified in statute.
On December 1, 2011, Air Academy FCU
President and CEO Glenn Strebe testified on behalf of NAFCU regarding
small-business cyber security issues before the House Small Business
Subcommittee on Healthcare and Technology. In addition to the list above, Strebe
told lawmakers that all entities - not just financial institutions - that
handle consumers' personal data should comply with comprehensive data
protection rules and standards, and that the lack of requirements for
merchants, retailers or other non-depository entities to disclose breaches of
their data systems leaves credit unions and other institutions exposed to
reputation risk when they must disclose such incidents to consumers. He
stressed that legislation that sets some kind of notification requirement would
help credit unions preserve the good will of their memberships when such
breaches occur. Read his testimony.
NAFCU continues to monitor this
issue and will provide updates as they occur. Read more about issues related specifically to cybersecurity.
Data Security Comment Letters
7-17-2013 NAFCU letter on Data Security
5-20-2013 NAFCU letter on Cyber Security and Data Security
4-16-2013 NAFCU letter on Cyber Security and Data Security
7-31-12 Reid-McConnell Cyber Security Bill and the Carper-Blunt Amendment
4-23-12 Boehner-Pelosi Cyber and Date Security Comment Letter
9-20-11 Rockefeller-Hutchison Comment Letter
7-19-11 Mack-Butterfield H.R. 2577 Mark-Up Comment Letter
6-20-11 Johnson-Shelby Data Protection in the Financial Sector Comment Letter
6-14-11 Mack-Butterfield Data Security and Breach Notification Comment Letter
6-1-11 Mack-Butterfield Data Security Comment Letter
5-3-11 Mack-Butterfield Date Security Comment Letter
11-15-10 Pelosi-Boehner Data Security Comment Letter
11-15-10 Reid-McConnell Data Security Comment Letter