Data Security

Data security breaches are a serious problem for both consumers and businesses. In fact, a recent Gallup survey reports that having one's credit card information from stores stolen is the top worry among Americans. Credit unions also bear a significant burden as they incur steep losses in order to reestablish member safety after a data breach occurs, whether online or otherwise. The number and scope of data breaches have been significant, and the damage realized may surprise those who have not been intimately involved.

Despite the fact that many credit unions have implemented sophisticated and effective data security (including cybersecurity) safeguards, attackers adapt to constantly evolving technology and find new ways to penetrate systems. Credit unions must make efforts to stay one step ahead, a core function of their organization. In addition, all entities – not just financial institutions – that handle consumer information should comply with comprehensive federal data protection standards.

Recent Activity on Capitol Hill

In January 2014, Senators Tom Carper (D-DE) and Roy Blunt (R-MO) introduced the Data Security Act of 2014 (S. 1927), to require minimum data security measures and breach notification requirements for  all U.S. businesses. Like similar legislation the senators proposed in 2012, the new bill provides a Gramm-Leach-Bliley Act carve-out for financial institutions – a provision that NAFCU deems essential in any new data security package. Breached entities would be responsible for investigating the scope of the breach and reporting the findings to appropriate agencies and victims.

In June 2013, Senator Pat Toomey (R-PA) introduced S.1193, the Data Security and Breach Notification Act of 2013, which among other provisions, would require companies to notify consumers promptly if their personal information was stolen. Given the reputational risk credit unions often suffer when personally identifiable information of their members is lost at the hands of outside parties, we see this as a step in the right direction. NAFCU has suggested several ways to strengthen this measure, and included these suggestions in our comprehensive Five-Point Plan for Regulatory Relief.

NAFCU's Position on Data Security

NAFCU was the first financial services trade association to weigh in on the data security issue on Capitol Hill in the wake of the 2013 Target data security breach. During hearings to discuss potential legislation that would better protect consumers from ongoing data breaches, we have asked for federal standards to ensure that merchants are responsible for breaches that occur on their end.

As the cybersecurity threat to national security grows, industry and agencies alike are urging federal action to establish national safeguards and standards.

The items NAFCU would like to see addressed in any comprehensive data security bill include:

  • Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches resulting from card use be reduced. A reasonable and equitable way of addressing this concern would be to require merchants to be accountable for costs of data breaches that result on their end, especially when their own negligence is to blame. The entity that is best situated to mitigate the risk to sensitive data should be the liable party when a breach occurs.
  • National Standards for Safekeeping Information: It is critical that sensitive personal information be safeguarded at all stages of transmission. Under Gramm-Leach-Bliley, credit unions and other financial institutions are required to meet certain criteria for safekeeping consumers' personal information. Unfortunately, there is no comprehensive regulatory structure akin to Gramm-Leach-Bliley that covers retailers, merchants, and others who collect and hold sensitive information. NAFCU strongly supports the passage of legislation requiring any business entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.
  • Data Security Policy Disclosure: Many consumers are unaware of the risks they are exposed to by providing their personal information. NAFCU believes that this problem can be alleviated by simply requiring merchants to post their data security policies at the point of sale if they take sensitive financial data. Such a disclosure requirement would come at little or no cost to the merchant, but would provide an important benefit to the public at large.
  • Disclosure of Breached Entity: NAFCU believes that consumers should have the right to know which business entities have been breached. We urge Congress to mandate the timely disclosure of identities of companies and merchants whose data systems have been violated, so consumers are aware of those that place their personal information at risk.
  • Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the violation of existing agreements and law by merchants and retailers who retain payment card information electronically. Many entities do not respect this prohibition and store sensitive personal data in their systems, which can be breached.
  • Notification of the Account Servicer: The account servicer or owner is in the unique position of being able to monitor for suspicious activity and prevent fraudulent transactions before they occur. NAFCU believes that it would make sense to include entities such as financial institutions to the list of those to be informed of any compromised personally identifiable information when, associated accounts are involved.
  • Burden of Proof in Data Breach Cases: In line with the responsibility for making consumers whole after they are harmed by a data breach, NAFCU believes that the evidentiary burden of proving a lack of fault should rest with the merchant or retailer who incurred the breach. These parties should have the duty to demonstrate that they took all necessary precautions to guard consumers' personal information, but sustained a violation regardless. The law is currently vague on this issue, and NAFCU therefore asks that this burden of proof be clarified in statute.

NAFCU's work on data security and cybersecurity is ongoing and our team is committed to ensuring credit unions have the resources they need to address the cybersecurity environment financial institutions face.

Issue Background Information

Federal authorities are making a concerted effort to reinforce the fact that financial institutions must have robust safeguards in place to protect against data breaches.

In February of 2013, President Obama announced during the State of the Union address that he would sign an Executive Order addressing cybersecurity issues. The mainstay of the Executive Order was to effectively allow intelligence to be gathered on cyberattacks and cyberthreats to privately-owned critical nation infrastructure – such as the private defense sector, utility networks, and the banking industry – so they can better protect themselves, the general population, and the greater economy.

Following President Obama's Executive Order, a number of open comment periods and stakeholder workshops were held. The input gathered led to the development of a voluntary set of best practices for critical infrastructure. On February 12, 2014, the National Institute of Standards and Technology (NIST) issued a "Framework for Improving Critical Infrastructure Cybersecurity". As part of the framework, NIST also released a "Roadmap" discussing next steps and identifying key areas for development, alignment, and collaboration. The Department of Homeland Security has the discretion to promote the voluntary best practices.

The financial services and banking sector is among the industries considered to be critical infrastructure under the framework. NAFCU will remain vigilant that the NIST standards do not become a stepping stone to increase regulation and add compliance costs to credit unions. NAFCU welcomed the NIST framework but reminded regulators that credit unions and other financial institutions are already subject to stringent regulatory requirements under the Gramm-Leach-Bliley Act and continually work to make cybersecurity a priority.

Data security breaches over time

  • September 2014: In what is now the largest retailer data breach known, Home Depot announced that 56 million cardholder accounts were compromised between April and September at its stores throughout the U.S. and Canada. UPS, Jimmy Johns's, Community Health Systems Inc. and Supervalu also reported data breaches reaching millions of consumers.
  • April 2014: Michaels confirmed that credit and debit card information was stolen from 3 million customers who shopped at some of its stores during an eight-month period, and another 400,000 consumers' credit cards were compromised at their Aaron Brothers stores.
  • January 2014: Neiman Marcus discloses cyberattack where hackers invaded its systems for several months in a breach that involved 1.1 million credit and debit cards.
  • December 2013: Target Corporation announced that as many as 40 million credit- and debit-card customers were exposed to potential fraud. Information stolen included customer names, credit or debit card numbers, their expiration dates and encrypted security codes, as well as encrypted debit card PIN data.
  • May 2011: Michaels Stores, Inc. notified its customers that more than 90 terminals in 20 different states had been compromised in a debit card PIN scheme. Tens of thousands of customers' debit cards may have been compromised and the scheme has been linked to hundreds of thousands of dollars in fraudulent withdrawals in California alone.
  • 2009: The Heartland Payments Systems, the sixth-largest payments processor at the time, announced that its processing systems were breached in 2008, exposing sensitive data associated with 130 million U.S. debit and credit cards.
  • 2008: An estimated 4.2 million credit and debit card numbers were stolen from Hannaford Bros. Grocery Stores in the New England area.
  • 2007: Retail giant TJX lost 94 million customer records.

Recent Media Outreach

NAFCU has stayed at the forefront of this issue and continued to advance the call for national data security standards for all parties and champion credit unions in major media nationwide.

Split deepens between retailers, credit unions (The Hill, October 31)

LET’S GET READY TO RUMBLE: RETAILERS VS. CREDIT UNIONS (POLITICO Morning Cybersecurity, October 31)

Credit Unions, Retail Groups Finger-Pointing On Payment Security (PYMNTS.com, October 31)

NAFCU Responds to Retailer Groups on Data Breach ‘Misconceptions’ (October 30, 2014)  

NAFCU: Data Breaches Have Reached Epic Proportions, Congress Must Act to Create National Data Security Standards For Retailers (October 21, 2014)  

Obama Moves Without Congress on Data Security (Credit Union Times, October 17)

NAFCU’s Berger Attends President Obama’s Call for Data Breach Legislation (October 17, 2014)  

Most Credit Unions Hit by Breaches: Survey (Credit Union Times, October 15, 2014)

CREDIT UNIONS HIT A NERVE WITH MERCHANTS  (POLITICO Morning Cybersecurity, October 7, 2014)

Massive data breaches: Where they lead is surprising (USA Today, October 3, 2014)

Ways to prevent cybertheft (USA Today, October 2, 2014)

NAFCU Urges Congress To Create Data Security Working Group (September 30, 2014) 

NAFCU PENS ‘DEAR BARACK’ LETTER (POLITICO Morning Cybersecurity, September 29, 2014)

Congress punts hacker fight to 2015 (The Hill, September 24, 2014)

Fraudulent charges from Home Depot breach surface (CBS MoneyWatch, September 24, 2014)

NAFCU Hails Sens. Rockefeller, McCaskill for Response to Home Depot Breach and Risk to Consumers (September 11, 2014)

Card Data Breach Increase Changes Fraud Tactics, Challenges Small CUs (Credit Union Journal, September 3, 2014) 

NAFCU: Lack of National Data Security and Breach Notification Standards for Retailers Creates Continued Opportunities for Cyber Thieves (September 3, 2014) 

Retailers Should Be Held to Stricter Standards on Data Security (American Banker, August 27, 2014)

NAFCU Continues Push for Regulation After UPS Breach (Credit Union Times, August 25, 2014)

NAFCU CONTINUES FIGHT VS. RETAILERS ON HILL (POLITICO MORNING CYBERSECURITY, August 22)

Credit unions: Anti-hacking bill should be 'priority' (The Hill, August 21)

NAFCU: Lack of National Data Security Standards for Retailers Remain Six Months After Target Data Breach (June 19, 2014)

Cybercrime Thrives Amid Lack of National Data Security Standards for Retailers (Huffington Post, June 17, 2014)

NAFCU: Rampant Data Breaches Require National Standards on Data Security For Retailers (June 11, 2014)

After another data breach, Congress pressed to act (The Hill's Technology Blog, April 18, 2014)

Credit unions renew push for data security law (The Hill's Technology Blog, March 20, 2014)

No One is Secure While Data Security Is a One-Sided Proposition (Huffington Post, March 12, 2014)

On data security, hold merchants to the same standards as financial institutions (The Hill's Congress Blog, February 27, 2014)

NAFCU: Credit Unions Pay High Price for Data Breaches (February 10, 2014)

NAFCU Wants Data Security Standards (POLITICO Morning Money, January 23, 2014)

What can be done to protect consumers from data breaches? (Fox Business, January 17, 2014)

Recent Policy Letters

Read recent letters from NAFCU to members of Congress on key data security issues that affect credit unions and their members.

9-30-14 NAFCU letter to House, Senate Leaders to Urge Data Security Working Group

9-26-2014 NAFCU letter to the White House on Holding Retailers Accountable for Data Breaches

8-21-2014 NAFCU letter on UPS and Supervalu Data Breaches 

6-11-2014 NAFCU letter on Data Security and holding retailers accountable

4-18-2014 NAFCU letter on Data Security (Michaels Breach)

3-19-2014 NAFCU letter on Data Security

2-5-2014 Financial Trades letter regarding Data Security

2-4-2014 NAFCU letter on Data Security

2-3-2014 NAFCU letter on Senate Judicary Data Security Hearing

View all NAFCU policy letters

Additional Resources

Current cyber-related law and recent legislative proposals and action are outlined in the Congressional Research Service (CRS) report from June 20, 2013, titled Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions.

The National Credit Union Administration's cybersecurity guidance, 13-Risk-01, lists a number of mitigation practices that credit unions should implement, including:

  • Maintaining strong information security awareness programs for employees and members.
  • Utilizing transaction monitoring, verification procedures, and appropriate limits commensurate with the risk of applicable funds transfers.
  • Implementing strong controls over computers used to process commercial payments, including but not limited to:
    • Multifactor authentication
    • Removal of hardware tokens upon session completion.
    • Prohibited or highly filtered use of Internet browsing.
    • Dedicated, corporate-owned systems without administrator privileges.
  • Following network and application security best practices with regard to configuring systems, patch management, and security testing.

The following websites also offer resources that may help your credit union bolster the measures you have already taken:

Updated October 2014