Data security breaches are a serious problem for both consumers and businesses. In fact, a recent Gallup survey reports that having one's credit card information from stores stolen is the top worry among Americans. Credit unions also bear a significant burden as they incur steep losses in order to reestablish member safety after a data breach occurs, whether online or otherwise. A February 2015 NAFCU survey reports credit unions, on average, spent $136,000 on data security measures and $226,000 in costs associated with merchant data breaches in 2014.
Despite the fact that many credit unions have implemented sophisticated and effective data security (including cybersecurity) safeguards, attackers adapt to constantly evolving technology and find new ways to penetrate systems. Credit unions must make efforts to stay one step ahead, a core function of their organization. In addition, all entities – not just financial institutions – that handle consumer information should comply with comprehensive federal data protection standards.
On April 22, 2015, NAFCU President and CEO B. Dan Berger testified before the House Small Business Committee during a hearing titled "Small Business, Big Threat: Protecting Small Businesses from Cyber Attacks." In his testimony, Berger detailed how credit unions have successfully minimized data breaches and why it's important that others do the same. NAFCU continues to seek passage of a data security bill that would create a strong national standard of data protection for retailers, recognize credit unions' compliance with the Gramm-Leach-Bliley Act and hold retailers accountable for breaches occurring on their end.
In January 2014, Senators Tom Carper (D-DE) and Roy Blunt (R-MO) introduced the Data Security Act of 2014 (S. 1927), to require minimum data security measures and breach notification requirements for all U.S. businesses. Like similar legislation the senators proposed in 2012, the new bill provides a Gramm-Leach-Bliley Act carve-out for financial institutions – a provision that NAFCU deems essential in any new data security package. Breached entities would be responsible for investigating the scope of the breach and reporting the findings to appropriate agencies and victims.
NAFCU was the first financial services trade association to weigh in on the data security issue on Capitol Hill in the wake of the 2013 Target data security breach. During hearings to discuss potential legislation that would better protect consumers from ongoing data breaches, we have asked for federal standards to ensure that merchants are responsible for breaches that occur on their end.
As the cybersecurity threat to national security grows, industry and agencies alike are urging federal action to establish national safeguards and standards.
The items NAFCU would like to see addressed in any comprehensive data security bill include:
NAFCU's work on data security and cybersecurity is ongoing and our team is committed to ensuring credit unions have the resources they need to address the cybersecurity environment financial institutions face.
Federal authorities are making a concerted effort to reinforce the fact that financial institutions must have robust safeguards in place to protect against data breaches.
In February of 2013, President Obama announced during the State of the Union address that he would sign an Executive Order addressing cybersecurity issues. The mainstay of the Executive Order was to effectively allow intelligence to be gathered on cyberattacks and cyberthreats to privately-owned critical nation infrastructure – such as the private defense sector, utility networks, and the banking industry – so they can better protect themselves, the general population, and the greater economy.
Following President Obama's Executive Order, a number of open comment periods and stakeholder workshops were held. The input gathered led to the development of a voluntary set of best practices for critical infrastructure. On February 12, 2014, the National Institute of Standards and Technology (NIST) issued a "Framework for Improving Critical Infrastructure Cybersecurity". As part of the framework, NIST also released a "Roadmap" discussing next steps and identifying key areas for development, alignment, and collaboration. The Department of Homeland Security has the discretion to promote the voluntary best practices.
The financial services and banking sector is among the industries considered to be critical infrastructure under the framework. NAFCU will remain vigilant that the NIST standards do not become a stepping stone to increase regulation and add compliance costs to credit unions. NAFCU welcomed the NIST framework but reminded regulators that credit unions and other financial institutions are already subject to stringent regulatory requirements under the Gramm-Leach-Bliley Act and continually work to make cybersecurity a priority.
In June 2013, Senator Pat Toomey (R-PA) introduced S.1193, the Data Security and Breach Notification Act of 2013, which among other provisions, would require companies to notify consumers promptly if their personal information was stolen. Given the reputational risk credit unions often suffer when personally identifiable information of their members is lost at the hands of outside parties, we see this as a step in the right direction. NAFCU has suggested several ways to strengthen this measure, and included these suggestions in our comprehensive Five-Point Plan for Regulatory Relief.
NAFCU has stayed at the forefront of this issue and continued to advance the call for national data security standards for all parties and champion credit unions in major media nationwide.
Small business leaders urge Congress to rethink cybersecurity measures (The Washington Post, April 23, 2015)
Data Security Is Everyone's Responsibility: Berger (Credit Union Times, April 22, 2015)
Cybercrime has Reached 'Epic Proportions:' Berger (Credit Union Journal, April 22, 2015)
NAFCU to House Small Business: Cyber and Data Security is a Top Challenge Facing Credit Union Industry
(April 22, 2015)
Target Settles With MasterCard (CUtoday.info, April 16, 2015)
Target, MasterCard Settle Over Breach (Bank Info Security, April 16, 2015)
Target paying $19 million over credit card breach (FORTUNE, April 16, 2015)
Target's MasterCard settlement: $19 million (USA Today, April 15, 2015)
NAFCU Lauds Sens. Carper and Blunt Introduction of Data Security Bill
(April 15, 2015)
NAFCU Statement In Response to Report of Possible $20 Million Target Settlement with Mastercard on Data Breach
(April 15, 2015)
MORE EMV FEUDING (POLITICO Morning Cybersecurity, April 6, 2015)
Retail Group: Delay Launch of Upgraded Payment Systems (Associations Now, April 6, 2015)
Retailers, Banks Skirmish Over EMV Deadline (Cards Not Present.com, April 6, 2015)
Credit Union Group: Regulate Retailers Like Banks (PYMNTS.com, April 6, 2015)
NEW FIGHT ERUPTS ON EMV TRANSITION (POLITICO Morning Cybersecurity, April 3, 2015)
Credit unions, retailers tussle over payment security (The Hill, April 3, 2015)
Trade Group Asks for Delay on Card-Security Plan (Wall Street Journal, April 2, 2015)
Retailers Push For Delay In Implementing New Data Security Features (Huffington Post, April 2, 2015)
Trade Group Asks for Delay on Card-Security Plan (Nasdaq, April 2, 2015)
NAFCU Slams Retailer EMV Stall (Credit Union Times, April 2, 2015)
NAFCU To Congress: Don't Swallow Food Marketing Institute's Delay Tactics (CUtoday.info, April 2, 2015)
NAFCU, Writing to House, Senate Leaders, Challenges FMI's Call For Delay on EMV Liability Shift
(April 2, 2015)
Read recent letters from NAFCU to members of Congress on key data security issues that affect credit unions and their members.
4-2-2015 NAFCU Letter Regarding FMI's EMV Delay Request
2-4-2015 NAFCU Letter on the Importance of Data Security
2-3-2015 NAFCU Letter to the Senate Commerce Committee
1-27-2015 NAFCU Letter on How Congress Must Tackle Cybersecurity and Data Security Together
1-23-2015 NAFCU Letter on Data Security to the Subcommittee on Commerce, Manufacturing, and Trade
1-23-2015 Joint Trades Letter on Data Security to the Subcommittee on Commerce, Manufacturing, and Trade
1-23-2015 Joint Trades Letter on Data Security to the Senate
1-23-2015 Joint Trades Letter on Data Security to the House
1-14-2015 NAFCU Letter to Congressional Leadership Urging for a Bipartisan-Bicameral Working Group on Data Security
12-9-2014 NAFCU Letter to the Senate Banking Committee on Cybersecurity and Data Security
12-1-2014 NAFCU Letter to Congress on "Cyber Monday" and the Need for National Data Security Standards for Retailers
View all NAFCU policy letters
In December 2014, the Payment Security Task Force (PST), of which NAFCU is a member, issued a white paper on protecting cardholder data at the merchant's physical or virtual point of sale. Download PST's "U.S. Payments Security Evolution and Strategic Road Map" paper.
Current cyber-related law and recent legislative proposals and action are outlined in the Congressional Research Service (CRS) report from June 20, 2013, titled Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions.
The National Credit Union Administration's cybersecurity guidance, 13-Risk-01, lists a number of mitigation practices that credit unions should implement, including:
The following websites also offer resources that may help your credit union bolster the measures you have already taken:
Updated April 2015