Data Security

Home Legislation/Regulation Legislative Resource Center Key Legislative Issues Data Security

Updated April 2013

Data security breaches are a serious problem for both consumers and businesses. Financial institutions, such as credit unions, also bear a significant burden as they incur steep losses in order to reestablish member safety after a data breach occurs. The number and scope of data breaches are significant, and the damage realized may surprise those who have not been intimately involved.

For example, in 2009, the Heartland Payments Systems, a company that processes card payments for restaurants, retailers, and other merchants, disclosed that the computer the company used to process transactions had been compromised. Customer records, for over 100 million payment card transactions per month at nearly 175,000 merchants, were stolen. Millions of American consumers instantly became victims. Other infamous data breaches include the estimated 4.2 million credit and debit card numbers stolen from Hannaford Bros. Grocery Stores in the New England area in 2008 and retail giant TJX losing 94 million customer records in 2007.

More recently, on May 11, 2011, Michaels Stores, Inc. notified its customers that more than 90 terminals in 20 different states had been compromised in a debit card PIN scheme. Tens of thousands of customers' debit cards may have been compromised and the scheme has been linked to hundreds of thousands of dollars in fraudulent withdrawals in California alone. The emotional toll that a data breach can take on consumers is immense. Information and identities can be stolen, fraudulent account charges can occur, and credit scores can be damaged. Along with consumers, small financial institutions like credit unions also face financial burdens when fraud is incurred. Credit unions are often forced to charge off fraud losses, some of which stem from the failure of merchants to protect sensitive financial information about their customers or the illegal maintenance of such information in their systems.

In cases of data breaches or fraud, as demonstrated by the Michaels Stores breach mentioned above, it is the credit union that must notify their members, issue new cards, change account numbers, and perform a host of other activities, all of which cost both time and money. The merchant who failed to protect the data is often undisclosed and unknown to the consumer and does not pay to make the consumer whole. Interchange fees have historically been one way in which the costs of such breaches were offset by merchants. However, recent Congressional action to limit debit interchange fees does not recognize this problem and will result in heavier burdens falling on financial institutions and consumers. Educating lawmakers about the significance of debit interchange to help offset data breaches at the hands of retailers is critical.

Meanwhile, as cases of fraud become more prevalent, costs that credit unions pay for insurance, prevention services, and staff to handle member concerns continues to grow. As the volume of plastic card usage increases, so does the risk of data breaches and fraud.

Despite the fact that they are rarely the source of significant data breaches, credit unions and other financial institutions are still mandated to protect data consistent with the provisions set out in the Gramm-Leach-Bliley Act. In addition to complying with Gramm-Leach-Bliley, credit unions have been known to go above and beyond in helping their members navigate the steps they should take if they have been the victims of fraud. It should be noted that there is no comprehensive regulatory structure similar to Gramm-Leach-Bliley for retailers, merchants, or others who collect or hold sensitive information.

In the 112th Congress, Rep. Mary Bono Mack (R-CA), Chairwoman of the Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade, introduced the Secure and Fortify Electronic Data Act (H.R. 2577), and Sen. Tom Carper (D-DE) and Roy Blunt (R-MO) introduced, the Data Security Act of 2011 (S.1434), a NAFCU-backed financial services approach to the issue. Both bills would have required security standards for different types of personal and account information, and required specific notification procedures in the event of a breach.

Additionally, Senator Patrick Leahy, Chairman of the Senate Judiciary Committee, introduced the Personal Data Privacy and Security Act of 2011, which was marked-up and placed on the Senate Legislative Calendar under general orders. His bill would have provided for enhanced punishment for identity theft and other violations of data privacy and security, required security standards for certain types of personal and account information, required certain disclosure and maintenance procedures for data brokers, and authorized the Attorney General and state attorneys general to bring civil actions against business entities for violations of the Act.

On April 26, 2012, the House passed H.R. 3523, the Cyber Intelligence Sharing and Protection Act, with a recorded vote of 248-168. The bill aimed to remove roadblocks to the sharing of threat information and enhance analysis and prevention tools. The bill would also have given the Financial Services - Information Sharing and Analysis Center increased access to and authority to share timely, actionable threat information with its private-sector members. H.R. 3523 did not address credit union-specific issues such as card breaches, but took a broader approach, aimed at preventing large infrastructure attacks that attack payment systems, the Internet or power grids. The White House threatened a veto of the measure out of concerns for civil liberties and personal privacy, which Republicans in the House claimed to have addressed in the legislation.

While supporting some aspects of proposed legislation, NAFCU has developed a list of items we would like to see addressed in any comprehensive data security bill:

Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches resulting from card use be reduced. A reasonable and equitable way of addressing this concern would be to require merchants to be accountable for costs of data breaches that result on their end, especially when their own negligence is to blame. The entity that is best situated to mitigate the risk to sensitive data should be the liable party when a breach occurs.

National Standards for Safekeeping Information: It is critical that sensitive personal information be safeguarded at all stages of transmission. Under Gramm-Leach-Bliley, credit unions and other financial institutions are required to meet certain criteria for safekeeping consumers' personal information. Unfortunately, there is no comprehensive regulatory structure akin to Gramm-Leach-Bliley that covers retailers, merchants, and others who collect and hold sensitive information. NAFCU strongly supports the passage of legislation requiring any business entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.

Data Security Policy Disclosure: Many consumers are unaware of the risks they are exposed to by providing their personal information. NAFCU believes that this problem can be alleviated by simply requiring merchants to post their data security policies at the point of sale if they take sensitive financial data. Such a disclosure requirement would come at little or no cost to the merchant, but would provide an important benefit to the public at large.

Disclosure of Breached Entity: NAFCU believes that consumers should have the right to know which business entities have been breached. We urge Congress to mandate the timely disclosure of identities of companies and merchants whose data systems have been violated, so consumers are aware of those that place their personal information at risk.

Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the violation of existing agreements and law by merchants and retailers who retain payment card information electronically. Many entities do not respect this prohibition and store sensitive personal data in their systems, which can be breached.

Notification of the Account Servicer: The account servicer or owner is in the unique position of being able to monitor for suspicious activity and prevent fraudulent transactions before they occur. NAFCU believes that it would make sense to include entities such as financial institutions to the list of those to be informed of any compromised personally identifiable information when, associated accounts are involved.

Burden of Proof in Data Breach Cases: In line with the responsibility for making consumers whole after they are harmed by a data breach, NAFCU believes that the evidentiary burden of proving a lack of fault should rest with the merchant or retailer who incurred the breach. These parties should have the duty to demonstrate that they took all necessary precautions to guard consumers' personal information, but sustained a violation regardless. The law is currently vague on this issue, and NAFCU therefore asks that this burden of proof be clarified in statute.

On December 1, 2011, Air Academy FCU President and CEO Glenn Strebe testified on behalf of NAFCU regarding small-business cyber security issues before the House Small Business Subcommittee on Healthcare and Technology. In addition to the list above, Strebe told lawmakers that all entities - not just financial institutions - that handle consumers' personal data should comply with comprehensive data protection rules and standards, and that the lack of requirements for merchants, retailers or other non-depository entities to disclose breaches of their data systems leaves credit unions and other institutions exposed to reputation risk when they must disclose such incidents to consumers. He stressed that legislation that sets some kind of notification requirement would help credit unions preserve the good will of their memberships when such breaches occur. To read his testimony, click here.

On February 12, 2013, President Barack Obama signed a limited executive order focused on the digital defenses of power plants, water systems and other entities deemed critical infrastructure. The "framework" of the order will effectively allow intelligence to be gathered on cyberattacks and cyberthreats to privately owned critical national infrastructure — such as the private defense sector, utility networks, and the banking industry — so they can better protect themselves, as well as the general US population, the economy, and other nations that are reliant on US support.

NAFCU continues to monitor this issue and will provide updates as they occur.