Data security breaches are a serious problem for both consumers and businesses. Credit unions also bear a significant burden as they incur steep losses in order to reestablish member safety after a data breach occurs, whether online or otherwise. A February 2015 NAFCU survey reports credit unions, on average, spent $136,000 on data security measures and $226,000 in costs associated with merchant data breaches in 2014.
Despite the fact that many credit unions have implemented sophisticated and effective data security (including cybersecurity) safeguards, attackers adapt to constantly evolving technology and find new ways to penetrate systems. Credit unions must make efforts to stay one step ahead, a core function of their organization. In addition, all entities – not just financial institutions – that handle consumer information should comply with comprehensive federal data protection standards.
In May 2015, Reps. Randy Neugebauer, R-Texas, and John Carney, D-Del. introduced a NAFCU-backed bipartisan bill, the Data Security Act of 2015 (H.R. 2205), setting data protection standards, outlining a process for notifications and recognizing financial institutions' compliance with the Gramm-Leach-Bliley Act. The bill closely aligns with legislation introduced a few weeks prior by Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo. – Data Security Act of 2015 (S. 961). NAFCU supports their efforts and will continue to push for a data security bill that would create a strong national standard of protection for retailers, recognize credit unions' compliance with the Gramm-Leach-Bliley Act and hold retailers accountable for breaches occurring on their end. We urge credit unions to take action and ask their members of Congress to support the Data Security of 2015.
On May 14, 2015, the House Committee on Financial
Services held a hearing entitled, “Protecting Consumers: Financial Data
Security in the Age of Computer Hackers.” Members of the committee discussed the
pitfalls of the patchwork of state legislation addressing data security
breaches and the comparative success of the Gramm-Leach-Bliley Act, which
applies to credit unions and other financial institutions. Several witnesses noted problems with
conflicting state laws that require different information to be included in
breach notifications, and which impose different timelines. Another witness testified that Gramm-Leach-Bliley
has worked for financial institutions and would work equally as well for other
industries in the payments ecosystem because it is both scalable and flexible.
On April 22, 2015, NAFCU President and CEO B. Dan Berger testified before the House Small Business Committee during a hearing titled "Small Business, Big Threat: Protecting Small Businesses from Cyber Attacks." In his testimony, Berger detailed how credit unions have successfully minimized data breaches and why it's important that others do the same. NAFCU continues to seek passage of a data security bill that would create a strong national standard of data protection for retailers, recognize credit unions' compliance with the Gramm-Leach-Bliley Act and hold retailers accountable for breaches occurring on their end.
VIDEO: Berger talks about his testimony on data security and the call for greater retailer accountability (5/8/15)
NAFCU was the first financial services trade association to weigh in on the data security issue on Capitol Hill in the wake of the 2013 Target data security breach. During hearings to discuss potential legislation that would better protect consumers from ongoing data breaches, we have asked for federal standards to ensure that merchants are responsible for breaches that occur on their end.
As the cybersecurity threat to national security grows, industry and agencies alike are urging federal action to establish national safeguards and standards.
The items NAFCU would like to see addressed in any comprehensive data security bill include:
NAFCU's work on data security and cybersecurity is ongoing and our team is committed to ensuring credit unions have the resources they need to address the cybersecurity environment financial institutions face.
NAFCU has stayed at the forefront of this issue and continued to advance the call for national data security standards for all parties and champion credit unions in major media nationwide.
COMMUNITY BANKS, CUs WANT MORE FROM TARGET-VISA DEAL (POLITICO Morning Money, August 19, 2015)
Target settles with Visa over data breach (Security Info Watch, August 19, 2015)
Eye on Security: Visa-Target Settlement (Digital Transactions, August 19, 2015)
Target, Visa agree on $67M to settle data breach (Retail DIVE, August 19, 2015)
Target pens settlement agreement with Visa over 2013 security breach (Ledger Gazette, August 19, 2015)
Target to pay Visa issuers up to $67M over data breach (CNBC.com, August 18, 2015)
Target to Settle Claims Over Data Breach (The Wall Street Journal, August 18, 2015)
Target Reaches Settlement With Visa Over 2013 Data Breach (Nasdaq, August 18, 2015)
Target Settles With Visa for $67 Million (Credit Union Times, August 18, 2015)
Target, Visa Reach $67-Million Settlement Over Breach (CUtoday.info, August 18, 2015)
Target settles Visa card issuer claims in breach (Minneapolis Star Tribune, August 18, 2015)
NAFCU Statement In Response to Report of Proposed $67 Million Target Settlement with Visa on Data Breach
(August 18, 2015)
Keep Moving Forward With Data Security Bill, Groups Tell Senate (CUtoday.info, August 4, 2015)
NAFCU Launches New Compliance Cyber Café (CUtoday.info, August 3, 2015)
Home Depot Moves to Dismiss Breach Suit (Credit Union Times, July 8, 2015)
Home Depot Wants Court To Toss Lawsuit By Banks, CUs (CUtoday.info, July 8, 2015)
Cybersecurity Legislation Holds Retailers Accountable (Credit Union Times, June 19, 2015)
House Holds Hearing On Cyber Threats (CUtoday.info, June 16, 2015)
Congress must act against cyber crime (The Hill, June 15, 2015)
Federal Worker CUs Brace For Impact From OPM Data Breach (Credit Union Journal, June 15, 2015)
NCUA Says Staff Records Not Involved In OPM Hack (CUtoday.info, June 8, 2015)
Data Breach Exposes 4 Million Government Workers (Credit Union Times, June 4, 2015)
7-7-2015 NAFCU Letter on Cyber Security and Data Security
5-1-2015 Joint Trades Letter to the House in Support of the Data Security Act of 2015 (H.R. 2205)
5-1-2015 Joint Trades Letter to the Senate in Support of the Data Security Act of 2015 (S. 961)
4-2-2015 NAFCU Letter Regarding FMI's EMV Delay Request
2-4-2015 NAFCU Letter on the Importance of Data Security
2-3-2015 NAFCU Letter to the Senate Commerce Committee
1-27-2015 NAFCU Letter on How Congress Must Tackle Cybersecurity and Data Security Together
1-23-2015 NAFCU Letter on Data Security to the Subcommittee on Commerce, Manufacturing, and Trade
1-23-2015 Joint Trades Letter on Data Security to the Subcommittee on Commerce, Manufacturing, and Trade
1-23-2015 Joint Trades Letter on Data Security to the Senate
1-23-2015 Joint Trades Letter on Data Security to the House
1-14-2015 NAFCU Letter to Congressional Leadership Urging for a Bipartisan-Bicameral Working Group on Data Security
View all NAFCU policy letters
In December 2014, the Payment Security Task Force (PST), of which NAFCU is a member, issued a white paper on protecting cardholder data at the merchant's physical or virtual point of sale. Download PST's "U.S. Payments Security Evolution and Strategic Road Map" paper.
Current cyber-related law and recent legislative proposals and action are outlined in the Congressional Research Service (CRS) report from June 20, 2013, titled Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions.
The National Credit Union Administration's cybersecurity guidance, 13-Risk-01, lists a number of mitigation practices that credit unions should implement, including:
The following websites also offer resources that may help your credit union bolster the measures you have already taken:
Updated July 2015