Data security breaches are a serious problem for both consumers and businesses. Credit unions also bear a significant burden as they incur steep losses in order to reestablish member safety after a data breach occurs, whether online or otherwise. A February 2015 NAFCU survey reports credit unions, on average, spent $136,000 on data security measures and $226,000 in costs associated with merchant data breaches in 2014.
Despite the fact that many credit unions have implemented sophisticated and effective data security (including cybersecurity) safeguards, attackers adapt to constantly evolving technology and find new ways to penetrate systems. Credit unions must make efforts to stay one step ahead, a core function of their organization. In addition, all entities – not just financial institutions – that handle consumer information should comply with comprehensive federal data protection standards.
On November 1, 2017, Mission Federal Credit Union President/CEO and NAFCU Board Member Debra Schwartz testified before the House Financial Services Subcommittee on Financial Institutions and Consumer Credit at a hearing entitled "Data Security: Vulnerabilities and Opportunities for Improvement." Schwartz stressed the effectiveness of the Gramm-Leach-Bliley Act (GLBA) and called for the creation of a national standard for data security.
On March 8, 2017, Chevron Federal Credit Union President/CEO Jim Mooney, who also chairs NAFCU's Cybersecuirty and Payments Committee, testified before the House Small Business Committee at a hearing entitled "Small Business Cybersecurity: Federal Resources and Coordination." In his testimony, Jim called on Congress to introduce legislation similar to the Data Security Act of 2015 to create a national standard of data security that applies to all entities in the payments chain.
In the 114th Congress, Reps. Randy Neugebauer, R-Texas, and John Carney, D-Del. introduced a NAFCU-backed bipartisan bill, the Data Security Act of 2015 (H.R. 2205), setting data protection standards, outlining a process for notifications and recognizing financial institutions' compliance with the Gramm-Leach-Bliley Act. The bill expired at the end of the 114th Congress and will need to be reintroduced in the 115th Congress. We ask credit unions to take action and ask their members of Congress to support a national standard of data security for all entities that handle sensitive financial information. NAFCU will continue to support legislation to hold retailers accountable for breaches occurring on their end.
On April 22, 2015, NAFCU President and CEO B. Dan Berger testified before
the House Small Business Committee during a hearing titled "Small
Business, Big Threat: Protecting Small Businesses from Cyber Attacks."
In his testimony, Berger detailed how credit unions have successfully
minimized data breaches and why it's important that others do the same.
On May 14, 2015, the House Committee on Financial
Services held a hearing entitled, "Protecting Consumers: Financial Data
Security in the Age of Computer Hackers." Members of the committee discussed the
pitfalls of the patchwork of state legislation addressing data security
breaches and the comparative success of the Gramm-Leach-Bliley Act, which
applies to credit unions and other financial institutions. Several witnesses noted problems with
conflicting state laws that require different information to be included in
breach notifications, and which impose different timelines. Another witness testified that Gramm-Leach-Bliley
has worked for financial institutions and would work equally as well for other
industries in the payments ecosystem because it is both scalable and flexible.
On October 7, 2015, Jan Roche, President and CEO of State Department Federal Credit Union and NAFCU board member, testified before the House Small Business Committee at a hearing regarding the recent EMV transition entitled, "The EMV Deadline and What it Means for Small Businesses." Roche testified alongside representatives from Visa, ICBA, and the Electronic Transactions Association. Roche's testimony emphasized that the best way to protect the financial system against payments fraud is through a national data security standard and urged the committee to support H.R. 2205, the Data Security Act of 2015.
On December 9, 2015, the House Financial Services Committee approved H.R. 2205 in a 46-9 vote. The bill closely aligned with legislation introduced a few weeks prior by Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo. – Data Security Act of 2015 (S. 961).
VIDEO: Berger talks about his testimony on data security and the call for greater retailer accountability (5/8/15)
NAFCU was the first financial services trade association to weigh in on the data security issue on Capitol Hill in the wake of the 2013 Target data security breach. During hearings to discuss potential legislation that would better protect consumers from ongoing data breaches, we have asked for federal standards to ensure that merchants are responsible for breaches that occur on their end.
As the cybersecurity threat to national security grows, industry and agencies alike are urging federal action to establish national safeguards and standards.
The items NAFCU would like to see addressed in any comprehensive data security bill include:
NAFCU's work on data security and cybersecurity is ongoing and our team is committed to ensuring credit unions have the resources they need to address the cybersecurity environment financial institutions face.
NAFCU has stayed at the forefront of this issue and continued to advance the call for national data security standards for all parties and champion credit unions in major media nationwide.
White House Seeking Public Feedback On Cybersecurity Trends (CUToday.info, August 11)
Big banks form A-team to fight for cyber security (HousingWire, August 10)
Dozens join lawsuit over Wendy's data breach (The Columbus Dispatch, August 5)
NAFCU Renews Call for Data Security Legislation (Credit Union Times, July 27)
Cybersecurity Focus Of Meeting Today; NAFCU Rep On Hand (CUToday.info, July 27)
Retailers are shirking consumer data security responsibilities (TheHill.com, July 13)
Wendy's Admits Breach Involved More Than 1,000 Restaurants (CUToday.info, July 10)
Interactive Version of FFIEC Cybersecurity Tool Is Released (CUToday.info, July 10)
Data Breaches At 'Tipping Point' Says NAFCU As 2 More Are Announced (CUToday.info, May 25, 2016)
NAFCU urges legislative action on cyber security (Housingwire, May 23, 2016)
Financial Groups' Latest Campaign: "Stop the Data Breaches" (AssociationsNow, May 23, 2016)
CUs, Banks Join On Campaign Around Data Breaches (CUToday.info, May 23, 2016)
Wendy's Provides Details On Data Breach (CUToday.info, May 12, 2016)
Hearing Today on Data Security; NAFCU Reiterates Threat to CUs (CUToday.info, April 20, 2016)
Banks to FFIEC: Cyber Tool is Flawed (BankInfoSecurity, January 25,2016)
Data Security, NCUA Budget Bills Voted Out of Committee (Credit Union Times, December 9, 2015)
House Financial Services Committee Votes in Favor of Data Security Act (CUtoday.info, December 9, 2015)
From Data Security to NCUA's Budget Process, A Look at Credit Union Advocacy for the Year (Credit Union Journal, December 8, 2015)
Data breach up next (POLITICO Morning Cybersecurity, December 7, 2015)
Target Agrees to Pay Banks $39 Million in Data Breach Settlement (Yahoo! Finance, December 7, 2015)
Data Security, NCUA Budget Bills In Mark-Up Today (CUtoday.info, December 7, 2015)
Target Agrees to $39 Million Settlement with Credit Card Issuers' Data Breach Claims (JD Supra Business Advisor, December 7, 2015)
Target Agrees to Pay Banks $39 Million in Data Breach Settlement (Money Talks News, December 6, 2015)
Data Security and NCUA Budget on Tap in Markup (Credit Union Times, December 4, 2015)
Target Likely to Pay Out in Summer 2016 (Credit Union Times, December 3, 2015)
Target settles with banks over 2013 hack (Insurance Business America, December 3, 2015)
Target Settles 2013 Data Breach Claims with Banks (Insurance Journal, December 3, 2015)
Target settles with banks over 2013 breach for $39M (The Indiana Lawyer.com, December 3, 2015)
NAFCU addresses proposed $39 million Target breach settlement with FIs (The Green Sheet, December 3, 2015)
NAFCU Thanks Chairman Hensarling for Reviewing Data Security, NCUA Budget Bills
(December 3, 2015)
Target Settles With Banks Over 2013 Breach for $39 Million (Bloomberg Business, December 2, 2015)
Target settles class-action suit over data breach claims for $39 million (The Minneapolis Star-Tribune, December 2, 2015)
Target Agrees To New Settlement; NAFCU Pushes For Greater Merchant Security Standards (CUtoday.info, December 2, 2015)
NAFCU Statement In Response to Report of Proposed $39 Million Target Settlement with Financial Institutions on Data Breach
(December 2, 2015)
CU Trade Groups Join Others In Pushing For Cybersecurity Bill (CUtoday.info, November 22, 2015)
State AGs Back Mandatory PIN Use for Cards (Credit Union Journal, November 17, 2015)
NAFCU Presses Senate For Stronger Retailer Data Security Standards (CUtoday.info, November 3, 2015)
CISA Passes Senate, Heads to House (Credit Union Times, October 28, 2015)
Senate Passes Cybersecurity Information Sharing Act (CUtoday.info, October 27, 2015)
NAFCU Statement on Senate Passage of S. 754, the 'Cybersecurity Information Sharing Act' (CISA) (October 27, 2015)
NAFCU's Carrie Hunt Addresses the Long Overdue Data Security Act of 2015 (CU broadcast, October 26, 2015)
Study Finds Breaches At Small Retailers On The Increase; Half of Members Asking Questions (CUtoday.info, October 22, 2015)
NAFCU Statement in Response to House
Small Business Committee's Second Hearing on EMV Transition (October 21, 2015)
Data security: A shared responsibility (The Hill, October 21, 2015)
Amid EMV Shift, NAFCU Head Calls for Stronger Regulations for Merchants (Mobile ID World, October 21, 2015)
Senate Takes Up Key Cybersecurity Bill (CU Journal, October 21, 2015)
11-7-2017 NAFCU Letter on Tomorrow's Hearing "Protecting Consumers in the Era of Major Data Breaches"
10-16-17 NAFCU Letter to Senate Banking re Credit Bureau Hearing
10-4-17 NAFCU Letter to Hensarling Waters re Equifax Hearing
10-3-17 NAFCU Letter to Crapo - Brown re Equifax Hearing
10-3-17 NAFCU Letter to Flake Franken re Equifax Hearing
10-02-17 NAFCU letter on Latta Schakowsky re Equifax Hearing
9-8-17 NAFCU Letter on the Massive Equifax Data Breach - Reiterating the Need for National Data Security Standards
3-8-17 Testimony of Jim Mooney for the House Small Business Committee,
"Small Business Cybersecurity: Federal Resources and Coordination"
2-13-17 NAFCU Letter on Tomorrow's House Science, Space and Technology Committee Hearing on U.S. Cybersecurity Capabilities
4-26-16 NAFCU Letter on the Need for Strong National Data Security Standards in H.R. 2205
4-19-16 NAFCU Letter on Cyber and Data Security
3-21-16 NAFCU Letter on Tomorrow's Hearing on Cyber Risk Management
1-27-2016 NAFCU Letter on Possible Wendy's Data Breach and the Need for National Data Security Standards
12-7-2015 Joint Trades Letter in Support of H.R. 2205, the "Data Security Act of 2015"
12-7-2015 NAFCU Letter on Tomorrow's House Financial Services Mark-up and Key Votes for Credit Unions
11-19-2015 Joint Trades Letter Ahead of Conference Committee on Cyber Threat Information Sharing Legislation
11-2-2015 NAFCU Letter on Tomorrow's Hearing, "Data Brokers: Is Consumers' Information Secure?"
10-22-2015 Joint Trades Letter in Opposition to SA 2564 to S. 754, the "Cybersecurity Information Sharing Act"
Joint Trades Letter in Support of S. 754, the "Cybersecurity
Information Sharing Act" and S. 961, the "Data Security Act of 2015"
10-20-2015 NAFCU Letter on Tomorrow's Hearing on EMV Implementation
10-16-2015 Joint Trades Letter Ahead of the House Small Business Committee's Upcoming Hearing on the EMV Implementation
10-15-2015 Joint Trades Letter Urging Members of Congress to Support H.R. 2205, the "Data Security Act of 2015"
8-4-2015 Joint Trades Letter in Support of S. 754, the "Cybersecurity Information Sharing Act"
7-7-2015 NAFCU Letter on Cyber Security and Data Security
5-18-2015 NAFCU Letter on Data Security
5-1-2015 Joint Trades Letter to the House in Support of the Data Security Act of 2015 (H.R. 2205)
5-1-2015 Joint Trades Letter to the Senate in Support of the Data Security Act of 2015 (S. 961)
4-15-2015 NAFCU Letter on the Data Security and Breach Notification Act of 2015- H.R. 1770
4-2-2015 NAFCU Letter Regarding FMI's EMV Delay Request
2-4-2015 NAFCU Letter on the Importance of Data Security
2-3-2015 NAFCU Letter to the Senate Commerce Committee
1-27-2015 NAFCU Letter on How Congress Must Tackle Cybersecurity and Data Security Together
1-23-2015 NAFCU Letter on Data Security to the Subcommittee on Commerce, Manufacturing, and Trade
1-23-2015 Joint Trades Letter on Data Security to the Subcommittee on Commerce, Manufacturing, and Trade
1-23-2015 Joint Trades Letter on Data Security to the Senate
1-23-2015 Joint Trades Letter on Data Security to the House
1-14-2015 NAFCU Letter to Congressional Leadership Urging for a Bipartisan-Bicameral Working Group on Data Security
View all NAFCU policy letters
On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC), released its Cybersecurity Assessment Tool.
The Assessment can be utilized by individual credit
unions to identify their individual risks and assess their cybersecurity
preparedness. While the use of this self-assessment
tool will not be mandatory, NCUA plans to train its examiners on how to utilize
this Assessment in the exam process in order for the agency to collect
information about the credit union industry's cybersecurity preparedness as a
whole. NCUA will aggregate data on credit union cybersecurity preparedness and
share it with other financial regulators within FFIEC.
In December 2014, the Payment Security Task Force (PST), of which NAFCU is a member, issued a white paper on protecting cardholder data at the merchant's physical or virtual point of sale. Download PST's "U.S. Payments Security Evolution and Strategic Road Map" paper.
Current cyber-related law and recent legislative proposals and action are outlined in the Congressional Research Service (CRS) report from June 20, 2013, titled Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions.
The National Credit Union Administration's cybersecurity guidance, 13-Risk-01, lists a number of mitigation practices that credit unions should implement, including:
The following websites also offer resources that may help your credit union bolster the measures you have already taken:
Incident Reporting and Response
DHS - United States Computer Emergency Readiness Team (US- CERT)
FBI - Internet Crime Complaint Center (IC3)
Secret Service - Financial Crimes Task Force
FS-ISAC (The Financial Services Information Sharing and Analysis Center)
NCU-ISAO (National Credit Union Information Sharing & Analysis Organization)
DHS - National Cybersecurity Communication and Integration Center (NCCIC)
Infragard (Public-Private Information Sharing to Protect Critical Infrastructure)
Consumer/Small Business Information
FTC - Privacy, Identity and Online Security Tips
National Cyber Security Alliance Stay Safe Online
FCC - 10 Cybersecurity Strategies for Small Business Tip Sheet
US-CERT Ransomware Overview and Best Practices
NCUA - Ransomware Infographic and Information for Credit Unions
Updated November 2017