February 03, 2014

Berger urges data standards, cites data breach costs

NAFCU President and CEO Dan Berger wrote two Senate panels Monday to urge action on national data security standards for retailers, noting that recent data breaches have cost credit unions nearly $30 million for post-breach monitoring, reissuance of cards, fraud investigations and more.

Berger, writing in advance of a hearing by the Senate Banking Subcommittee on National Security and International Trade and Finance, told panel Chairman Mark Warner, D-Va., and Ranking Member Mark Kirk, R-Ill., that the Target data breach alone could cost credit unions nearly $30 million from the "monitoring, reissuance of cards and fraud investigations and losses from this breach."

He asked the subcommittee leaders to carefully review NAFCU-backed S. 1927, the "Data Security Act of 2014," as this legislation would increase requirements for businesses without burdening financial institutions – such as credit unions – already subject to data protection measures under the Gramm-Leach-Bliley Act.

Berger said findings of a January survey of the association's members showing that, on average, credit unions were notified more than 100 times in 2013 of possible breaches of their members' financial information. The survey also found the cost for credit unions to replace new plastic cards to members ranged in cost from $5 to $15 per card.

He reiterated those figures in a letter to the Senate Judiciary Committee, which holds a hearing today on cybersecurity.

Of note during Monday's subcommittee hearing:

  • Agreeing with NAFCU, Warner noted that chip-and-pin is not a silver bullet to protect against data security breaches during his opening statement.
  • Also in line with NAFCU's views, Sens. Elizabeth Warren, D-Mass., Jon Tester, D-Mont., and Robert Menendez, D-N.J., noted the need for a federal mandate for data breach notifications. Some senators also suggested having civil penalty consequences in place to avert any negligence by those who retain consumers' personal information. The Federal Trade Commission witness, Director of the Bureau of Consumer Protection Jessica Rich, also stated the need for a federal law on data security and breach notification as well as civil penalties.
  • Tester also made the point, which NAFCU made in Monday's letter to the subcommittee, that financial institutions are the ones responsible to cover the losses of a data breach.

NAFCU's letter to the Senate Banking subcommittee was submitted to the hearing's record. More hearings on data security are slated Wednesday by a House Energy and Commerce subcommittee and Thursday by the full Senate Banking Committee.

NAFCU, the first financial trade to seek hearings and legislation immediately following the Target breach, will closely follow all hearings and will weigh in on its members' behalf.