January 15, 2014

Berger calls for retailer responsibility in breaches

NAFCU President and CEO Dan Berger, in an editorial Wednesday in American Banker, called on Congress to assign more responsibility to retailers when it comes to data security breaches like those reported by Target Corporation and Neiman Marcus.

"Unfortunately, the retailers continue to balk at the notion of being held responsible for their part in safeguarding consumers' sensitive data," Berger wrote. "The National Association of Federal Credit Unions believes if retailers want to reap the rewards of consumer sales, they should also take an active role in protecting their data. It is with this in mind that NAFCU is calling on Congress make comprehensive data security legislation a priority in 2014."

Berger pointed out that financial institutions such as credit unions are held to strict standards of data protection under the 1999 Gramm-Leach-Bliley Act and that retailers and other merchants have no similar requirements. He called on Congress to require merchants:

  • to pay for the costs of breaches on their end;
  • to follow data storage standards similar to those of the Gramm-Leach-Bliley Act;
  • to post data security policies publically;
  • to disclose data breaches in a timely manner; and
  • to notify account servicers or owners of compromised information.

NAFCU was the first financial institution trade association in the wake of the Target breach to call for increased retailer responsibility, and has been cited in many news reports as a leader in the push for a congressional response.