Data Security

Data security breaches are a serious problem for both consumers and businesses. Credit unions also bear a significant burden as they incur steep losses in order to reestablish member safety after a data breach occurs, whether online or otherwise. A February 2015 NAFCU survey reports credit unions, on average, spent $136,000 on data security measures and $226,000 in costs associated with merchant data breaches in 2014.

Despite the fact that many credit unions have implemented sophisticated and effective data security (including cybersecurity) safeguards, attackers adapt to constantly evolving technology and find new ways to penetrate systems. Credit unions must make efforts to stay one step ahead, a core function of their organization. In addition, all entities – not just financial institutions – that handle consumer information should comply with comprehensive federal data protection standards.

Recent Activity on Capitol Hill

On October 7, 2015, Jan Roche, President and CEO of State Department Federal Credit Union and NAFCU board member, testified before the House Small Business Committee at a hearing regarding the recent EMV transition entitled, "The EMV Deadline and What it Means for Small Businesses." Roche testified alongside representatives from Visa, ICBA, and the Electronic Transactions Association. Roche's testimony emphasized that the best way to protect the financial system against payments fraud is through a national data security standard and urged the committee to support H.R. 2205, the Data Security Act of 2015.

In May 2015, Reps. Randy Neugebauer, R-Texas, and John Carney, D-Del. introduced a NAFCU-backed bipartisan bill, the Data Security Act of 2015 (H.R. 2205), setting data protection standards, outlining a process for notifications and recognizing financial institutions' compliance with the Gramm-Leach-Bliley Act. The bill closely aligns with legislation introduced a few weeks prior by Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo. – Data Security Act of 2015 (S. 961). NAFCU supports their efforts and will continue to push for a data security bill that would create a strong national standard of protection for retailers, recognize credit unions' compliance with the Gramm-Leach-Bliley Act and hold retailers accountable for breaches occurring on their end. We urge credit unions to take action and ask their members of Congress to support the Data Security Act of 2015.  

On May 14, 2015, the House Committee on Financial Services held a hearing entitled, "Protecting Consumers: Financial Data Security in the Age of Computer Hackers."  Members of the committee discussed the pitfalls of the patchwork of state legislation addressing data security breaches and the comparative success of the Gramm-Leach-Bliley Act, which applies to credit unions and other financial institutions.  Several witnesses noted problems with conflicting state laws that require different information to be included in breach notifications, and which impose different timelines.  Another witness testified that Gramm-Leach-Bliley has worked for financial institutions and would work equally as well for other industries in the payments ecosystem because it is both scalable and flexible. 

On April 22, 2015, NAFCU President and CEO B. Dan Berger testified before the House Small Business Committee during a hearing titled "Small Business, Big Threat: Protecting Small Businesses from Cyber Attacks." In his testimony, Berger detailed how credit unions have successfully minimized data breaches and why it's important that others do the same.

VIDEO: Berger talks about his testimony on data security and the call for greater retailer accountability (5/8/15)


NAFCU's Position on Data Security

NAFCU was the first financial services trade association to weigh in on the data security issue on Capitol Hill in the wake of the 2013 Target data security breach. During hearings to discuss potential legislation that would better protect consumers from ongoing data breaches, we have asked for federal standards to ensure that merchants are responsible for breaches that occur on their end.

As the cybersecurity threat to national security grows, industry and agencies alike are urging federal action to establish national safeguards and standards.

The items NAFCU would like to see addressed in any comprehensive data security bill include:

  • Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches resulting from card use be reduced. A reasonable and equitable way of addressing this concern would be to require merchants to be accountable for costs of data breaches that result on their end, especially when their own negligence is to blame. The entity that is best situated to mitigate the risk to sensitive data should be the liable party when a breach occurs.
  • National Standards for Safekeeping Information: It is critical that sensitive personal information be safeguarded at all stages of transmission. Under Gramm-Leach-Bliley, credit unions and other financial institutions are required to meet certain criteria for safekeeping consumers' personal information. Unfortunately, there is no comprehensive regulatory structure akin to Gramm-Leach-Bliley that covers retailers, merchants, and others who collect and hold sensitive information. NAFCU strongly supports the passage of legislation requiring any business entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.
  • Data Security Policy Disclosure: Many consumers are unaware of the risks they are exposed to by providing their personal information. NAFCU believes that this problem can be alleviated by simply requiring merchants to post their data security policies at the point of sale if they take sensitive financial data. Such a disclosure requirement would come at little or no cost to the merchant, but would provide an important benefit to the public at large.
  • Disclosure of Breached Entity: NAFCU believes that consumers should have the right to know which business entities have been breached. We urge Congress to mandate the timely disclosure of identities of companies and merchants whose data systems have been violated, so consumers are aware of those that place their personal information at risk.
  • Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the violation of existing agreements and law by merchants and retailers who retain payment card information electronically. Many entities do not respect this prohibition and store sensitive personal data in their systems, which can be breached.
  • Notification of the Account Servicer: The account servicer or owner is in the unique position of being able to monitor for suspicious activity and prevent fraudulent transactions before they occur. NAFCU believes that it would make sense to include entities such as financial institutions to the list of those to be informed of any compromised personally identifiable information when, associated accounts are involved.
  • Burden of Proof in Data Breach Cases: In line with the responsibility for making consumers whole after they are harmed by a data breach, NAFCU believes that the evidentiary burden of proving a lack of fault should rest with the merchant or retailer who incurred the breach. These parties should have the duty to demonstrate that they took all necessary precautions to guard consumers' personal information, but sustained a violation regardless. The law is currently vague on this issue, and NAFCU therefore asks that this burden of proof be clarified in statute.

NAFCU's work on data security and cybersecurity is ongoing and our team is committed to ensuring credit unions have the resources they need to address the cybersecurity environment financial institutions face.

Recent Media Outreach

NAFCU has stayed at the forefront of this issue and continued to advance the call for national data security standards for all parties and champion credit unions in major media nationwide.

CU Trade Groups Join Others In Pushing For Cybersecurity Bill (, November 22, 2015) 

State AGs Back Mandatory PIN Use for Cards (Credit Union Journal, November 17, 2015)

NAFCU Presses Senate For Stronger Retailer Data Security Standards (, November 3, 2015)

CISA Passes Senate, Heads to House (Credit Union Times, October 28, 2015)

Senate Passes Cybersecurity Information Sharing Act (, October 27, 2015)

NAFCU Statement on Senate Passage of S. 754, the 'Cybersecurity Information Sharing Act' (CISA) (October 27, 2015)

NAFCU's Carrie Hunt Addresses the Long Overdue Data Security Act of 2015 (CU broadcast, October 26, 2015)


Study Finds Breaches At Small Retailers On The Increase; Half of Members Asking Questions (, October 22, 2015)

NAFCU's Oct. Economic & CU Monitor: National Data Security for Retailers Should Be Priority for Congress (October 22, 2015)

NAFCU Statement in Response to House Small Business Committee's Second Hearing on EMV Transition (October 21, 2015)

Data security: A shared responsibility (The Hill, October 21, 2015)

Amid EMV Shift, NAFCU Head Calls for Stronger Regulations for Merchants (Mobile ID World, October 21, 2015)

Senate Takes Up Key Cybersecurity Bill (CU Journal, October 21, 2015)

CU, Bank Trades Urge Support For Cyber Security Bills (, October 20, 2015)

NAFCU Reminds That EMV Is No 'Silver Bullet' (, October 20, 2015)

NAFCU: EMV Chip-Card Transition Is Not Silver Bullet, Cybersecurity and Consumer Protection Require Multi-Tiered Approach (October 20, 2015)  

CU Trades Join Others Ahead of Hearing In Urging Passage of Data Legislation (, October 18, 2015)

Trade Groups Urge House Support of H.R. 2205 (, October 15, 2015)

New Technology Prevents Counterfeiting Credit Cards (Epoch Times, October 11, 2015) 

EMV transition a milestone, not the end of the road (The Hill, October 8, 2015)

Lawmakers question switch to microchip credit cards (The Hill, October 7, 2015)


Jan Roche Testifies Before HSBC On EMV Deadline (, October 7, 2015)

NAFCU to House Small Business Committee: EMV Not a 'Silver Bullet' to Broader Problem of Data Security (October 7, 2015) 

Target Data Breach Case Gets Class Action Status (, September 17, 2015)

Judge Certifies Banks' Class Action Lawsuit Against Target (eSecurity Planet, September 17, 2015)

Judge Allows Class-Action Lawsuit Against Target in Data Breach (Entrepreneur, September 16, 2015)

St. Paul judge certifies class-action status to banks in Target breach suit (Bloomberg Business, September 16, 2015)

U.S. judge certifies class action over Target Corp data breach (Reuters, September 15, 2015)

Target Lawsuit Granted Class Action Status by Federal Court (Credit Union Journal, September 15, 2015) 

St. Paul judge certifies class action status to banks in Target breach suit (Minneapolis Star Tribune, September 15, 2015)

U.S. judge certifies class action over Target Corp data breach (, September 15, 2015) 

NAFCU Statement on Certification of Financial Institutions' Lawsuit As Class Against Target Corp. (September 15, 2015) 

Recent Policy Letters

11-2-2015 NAFCU Letter on Tomorrow's Hearing, "Data Brokers: Is Consumers' Information Secure?"

10-22-2015 Joint Trades Letter in Opposition to SA 2564 to S. 754, the "Cybersecurity Information Sharing Act"

10-20-2015 Joint Trades Letter in Support of S. 754, the "Cybersecurity Information Sharing Act" and S. 961, the "Data Security Act of 2015"

10-20-2015 NAFCU Letter on Tomorrow's Hearing on EMV Implementation

10-16-2015 Joint Trades Letter Ahead of the House Small Business Committee's Upcoming Hearing on the EMV Implementation

10-15-2015 Joint Trades Letter Urging Members of Congress to Support H.R. 2205, the "Data Security Act of 2015"

8-4-2015 Joint Trades Letter in Support of S. 754, the "Cybersecurity Information Sharing Act"

7-7-2015 NAFCU Letter on Cyber Security and Data Security

5-18-2015 NAFCU Letter on Data Security

5-1-2015 Joint Trades Letter to the House in Support of the Data Security Act of 2015 (H.R. 2205)

5-1-2015 Joint Trades Letter to the Senate in Support of the Data Security Act of 2015 (S. 961)

4-15-2015 NAFCU Letter on the Data Security and Breach Notification Act of 2015- H.R. 1770

4-2-2015 NAFCU Letter Regarding FMI's EMV Delay Request

2-4-2015 NAFCU Letter on the Importance of Data Security

2-3-2015 NAFCU Letter to the Senate Commerce Committee

1-27-2015 NAFCU Letter on How Congress Must Tackle Cybersecurity and Data Security Together

1-23-2015 NAFCU Letter on Data Security to the Subcommittee on Commerce, Manufacturing, and Trade

1-23-2015 Joint Trades Letter on Data Security to the Subcommittee on Commerce, Manufacturing, and Trade

1-23-2015 Joint Trades Letter on Data Security to the Senate

1-23-2015 Joint Trades Letter on Data Security to the House

1-14-2015 NAFCU Letter to Congressional Leadership Urging for a Bipartisan-Bicameral Working Group on Data Security

View all NAFCU policy letters

Additional Resources

On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC), released its Cybersecurity Assessment Tool.


This Assessment tool was developed by the Cybersecurity and Critical Infrastructure Working Group of FFIEC, which was created to enhance communication among the FFIEC member agencies on cybersecurity preparedness. In addition to NCUA, the FFIEC member agencies include: The Federal Reserve, FDIC, OCC, CFPB, and State Liaison Committee.

The Assessment can be utilized by individual credit unions to identify their individual risks and assess their cybersecurity preparedness. While the use of this self-assessment tool will not be mandatory, NCUA plans to train its examiners on how to utilize this Assessment in the exam process in order for the agency to collect information about the credit union industry's cybersecurity preparedness as a whole. NCUA will aggregate data on credit union cybersecurity preparedness and share it with other financial regulators within FFIEC.


In December 2014, the Payment Security Task Force (PST), of which NAFCU is a member, issued a white paper on protecting cardholder data at the merchant's physical or virtual point of sale. Download PST's "U.S. Payments Security Evolution and Strategic Road Map" paper.

Current cyber-related law and recent legislative proposals and action are outlined in the Congressional Research Service (CRS) report from June 20, 2013, titled Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions.

The National Credit Union Administration's cybersecurity guidance, 13-Risk-01, lists a number of mitigation practices that credit unions should implement, including:

  • Maintaining strong information security awareness programs for employees and members.
  • Utilizing transaction monitoring, verification procedures, and appropriate limits commensurate with the risk of applicable funds transfers.
  • Implementing strong controls over computers used to process commercial payments, including but not limited to:
    • Multifactor authentication
    • Removal of hardware tokens upon session completion.
    • Prohibited or highly filtered use of Internet browsing.
    • Dedicated, corporate-owned systems without administrator privileges.
  • Following network and application security best practices with regard to configuring systems, patch management, and security testing.

The following websites also offer resources that may help your credit union bolster the measures you have already taken:

Updated October 2015