Updated July 2014
NAFCU President and CEO Dan Berger told Gerri Willis on Fox Business January 17 about the need to set national data security standards for merchants and retailers.
Background & Recent News
Data security breaches are a serious problem for both consumers and businesses. Credit unions also bear a significant burden as they incur steep losses in order to reestablish member safety after a data breach occurs. The number and scope of data breaches are significant, and the damage realized may surprise those who have not been intimately involved.
Recent Data Security Breaches
In December 2013 at the height of holiday shopping season, the Target Corporation announced that as many as 40 million credit- and debit-card customers were exposed to potential fraud. Target acknowledged that customer names, credit or debit card numbers, their expiration dates and encrypted security codes, as well as encrypted debit card PIN data was among the information stolen when its systems were breached.
Then in early 2014, Neiman Marcus and Michaels Stores Inc. admitted to breaches during the same time frame. While it will be many months before the true breadth of either breach is realized by financial institutions and their customers, Michaels recently reported that as many as 2.6 million customers had their information compromised between May 8, 2013 and January 27, 2014, and another 400,000 consumers' credit cards were compromised at their Aaron Brothers stores.
Unfortunately, the Target and Neiman Marcus, Neiman Marcus, and Michaels breaches are just the latest in a long line of major data security breaches:
- In May 2011, Michaels Stores, Inc. notified its customers that more than 90 terminals in 20 different states had been compromised in a debit card PIN scheme. Tens of thousands of customers' debit cards may have been compromised and the scheme has been linked to hundreds of thousands of dollars in fraudulent withdrawals in California alone.
- In 2009, the Heartland Payments Systems, the sixth-largest payments processor at the time, announced that its processing systems were breached in 2008, exposing sensitive data associated with 130 million U.S. debit and credit cards.
- An estimated 4.2 million credit and debit card numbers were stolen from Hannaford Bros. Grocery Stores in the New England area in 2008.
- Retail giant TJX lost 94 million customer records in 2007.
Effects of Data Security Breaches
The emotional toll that a data breach can take on consumers is immense. Information and identities can be stolen, fraudulent account charges can occur, and credit scores can be damaged. Along with consumers, credit unions also face financial burdens when fraud is incurred. Credit unions are often forced to charge off fraud losses, some of which stem from the failure of merchants to protect sensitive financial information about their customers or the illegal maintenance of such information in their systems.
In cases of data breaches or fraud it is the credit union that must notify their members, issue new cards, change account numbers, and perform a host of other activities, all of which cost both time and money. The merchant who failed to protect the data is often undisclosed and unknown to the consumer and does not pay to make the consumer whole. Interchange fees have historically been one way in which the costs of such breaches were offset by merchants. However, recent Congressional action to limit debit interchange fees does not recognize this problem and will result in heavier burdens falling on financial institutions and consumers. Educating lawmakers about the significance of debit interchange to help offset data breaches at the hands of retailers is critical.
Meanwhile, as cases of fraud become more prevalent, costs that credit unions pay for insurance, prevention services, and staff to handle member concerns continues to grow. As the volume of plastic card usage increases, so does the risk of data breaches and fraud.
Despite the fact that they are rarely the source of significant data breaches, credit unions and other financial institutions are still mandated to protect data consistent with the provisions set out in the Gramm-Leach-Bliley Act. In addition to complying with Gramm-Leach-Bliley, credit unions have been known to go above and beyond in helping their members navigate the steps they should take if they have been the victims of fraud. It should be noted that there is no comprehensive regulatory structure similar to Gramm-Leach-Bliley for retailers, merchants, or others who collect or hold sensitive information.
NAFCU’s Position on Data Security
NAFCU was the first financial services trade association to weigh in on this issue on Capitol Hill in the wake of the Target breach. Lawmakers are monitoring the situation and several Congressional hearings have been held to learn more about the breach and discuss potential legislation that would better protect consumers from ongoing data breaches. NAFCU weighed in at each hearing asking for federal standards to ensure that merchants are responsible for breaches that occur on their end.
Of note, Senators Tom Carper, D-Del., and Roy Blunt, R-Mo. recently introduced S.1927, the Data Security Act of 2014, to require minimum data security measures and breach notification requirements to all U.S. businesses. Like similar legislation the senators proposed in 2012, the new bill provides a Gramm –Leach–Bliley Act carve-out for financial institutions – a provision that NAFCU deems essential in any new data security package. Breached entities would be responsible for investigating the scope of the breach and reporting the findings to appropriate agencies and victims.
The items NAFCU would like to see addressed in any comprehensive data security bill include:
- Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches resulting from card use be reduced. A reasonable and equitable way of addressing this concern would be to require merchants to be accountable for costs of data breaches that result on their end, especially when their own negligence is to blame. The entity that is best situated to mitigate the risk to sensitive data should be the liable party when a breach occurs.
- National Standards for Safekeeping Information: It is critical that sensitive personal information be safeguarded at all stages of transmission. Under Gramm-Leach-Bliley, credit unions and other financial institutions are required to meet certain criteria for safekeeping consumers' personal information. Unfortunately, there is no comprehensive regulatory structure akin to Gramm-Leach-Bliley that covers retailers, merchants, and others who collect and hold sensitive information. NAFCU strongly supports the passage of legislation requiring any business entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.
- Data Security Policy Disclosure: Many consumers are unaware of the risks they are exposed to by providing their personal information. NAFCU believes that this problem can be alleviated by simply requiring merchants to post their data security policies at the point of sale if they take sensitive financial data. Such a disclosure requirement would come at little or no cost to the merchant, but would provide an important benefit to the public at large.
- Disclosure of Breached Entity: NAFCU believes that consumers should have the right to know which business entities have been breached. We urge Congress to mandate the timely disclosure of identities of companies and merchants whose data systems have been violated, so consumers are aware of those that place their personal information at risk.
- Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the violation of existing agreements and law by merchants and retailers who retain payment card information electronically. Many entities do not respect this prohibition and store sensitive personal data in their systems, which can be breached.
- Notification of the Account Servicer: The account servicer or owner is in the unique position of being able to monitor for suspicious activity and prevent fraudulent transactions before they occur. NAFCU believes that it would make sense to include entities such as financial institutions to the list of those to be informed of any compromised personally identifiable information when, associated accounts are involved.
- Burden of Proof in Data Breach Cases: In line with the responsibility for making consumers whole after they are harmed by a data breach, NAFCU believes that the evidentiary burden of proving a lack of fault should rest with the merchant or retailer who incurred the breach. These parties should have the duty to demonstrate that they took all necessary precautions to guard consumers' personal information, but sustained a violation regardless. The law is currently vague on this issue, and NAFCU therefore asks that this burden of proof be clarified in statute.
NAFCU made data security a key pillar of its Five-Point Plan for Regulatory Relief rolled out at the beginning of this Congress in February of 2013 and will continue to push lawmakers to act on this issue moving forward.
NAFCU has stayed at the forefront of this issue and continued to advance the call for national data security standards for all parties and champion credit unions in major media nationwide.
NAFCU: Lack of National Data Security Standards for Retailers Remain Six Months After Target Data Breach (June 19, 2014)
Cybercrime Thrives Amid Lack of National Data Security Standards for Retailers (Huffington Post, June 17, 2014)
NAFCU: Rampant Data Breaches Require National Standards on Data Security For Retailers (June 11, 2014)
After another data breach, Congress pressed to act (The Hill's Technology Blog, April 18, 2014)
Credit unions renew push for data security law (The Hill's Technology Blog, March 20, 2014)
No One is Secure While Data Security Is a One-Sided Proposition (Huffington Post, March 12, 2014)
On data security, hold merchants to the same standards as financial institutions (The Hill's Congress Blog, February 27, 2014)
NAFCU: Credit Unions Pay High Price for Data Breaches (February 10, 2014)
NAFCU Wants Data Security Standards (POLITICO Morning Money, January 23, 2014)
What can be done to protect consumers from data breaches? (Fox Business, January 17, 2014)
Take a warning from the Target breach (CUInsight, January 17, 2014)
Congress Must Make Retailers Responsible for Data Breaches (American Banker, January 15, 2014)
NAFCU Applauds Introduction of Carper-Blunt Data Security Bill, S. 1927 (January 15, 2014)
U.S. senators ask Target CEO for information on data breach (Reuters, January 14, 2014)
70 million names, addresses stolen in Target hack (The Hill, January 10, 2014)
NAFCU Renews Call For Congressional Action on Data Breaches (January 10, 2014)
Reaction Follows Target Data Breach Upgrade (Credit Union Times, January 10, 2014)
Customers paying the price after Target breach (CNBC, January 3, 2014)
Are Retailers Doing Enough to Protect Consumers From Data Breaches? (Huffington Post, December 26, 2013)
Recent Data Security Comment Letters
Read recent letters from NAFCU to members of Congress on key data security issues that affect credit unions and their members.
6-11-2014 NAFCU letter on Data Security and holding retailers accountable
4-18-2014 NAFCU letter on Data Security (Michaels Breach)
3-19-2014 NAFCU letter on Data Security
2-05-2014 Financial Trades letter regarding Data Security
2-04-2014 NAFCU letter on Data Security
2-03-2014 NAFCU letter on Senate Judicary Data Security Hearing
1-28-2014 NAFCU-ICBA letter calling for national standards on data security (Senate)
1-22-2014 NAFCU letter calling for national standards on data security (House)
1-22-2014 NAFCU letter calling for national standards on data security (Senate)
1-13-2014 NAFCU letter calling for action on data security (House)
1-13-2014 NAFCU letter calling for action on data security (Senate)
12-19-2013 NAFCU letter to House, Target Data Breach
12-19-2013 NAFCU letter to Senate, Target Data Breach
7-17-2013 NAFCU letter on Data Security