January 07, 2014

NAFCU lobbyists to the Hill on data security

NAFCU's lobbyists took to Capitol Hill Monday to talk with lawmakers and their staff about the need to pass data-security requirements for merchants against the backdrop of the Target Corporation breach.

"NAFCU is strongly urging Congress to enact data security provisions that would require merchants and retailers to be held to standards for protecting consumers' data," said Brad Thaler, NAFCU's vice president of legislative affairs. "Credit unions are committed to continuing to do all they can to safeguard their members' data, but until merchants are required to do their part, consumers will remain at risk."

The Target Corporation breach affects some 40 million credit card holders. NAFCU, the first financial services trade association to call for congressional action on data protection, last month ramped up its call in letters to the House and Senate and in an editorial on The Huffington Post. Several senators have called for a hearing on the Target breach.

NAFCU is working with lawmakers in the House and Senate to seek action on this issue. It is urging that any data security bill passed include:

  • a requirement that merchants be accountable for costs of breaches on their end;
  • a requirement that any business entity responsible for the storage of consumer data meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act;
  • a requirement that merchants post their data security policies at the point of sale if they take sensitive financial data;
  • a requirement for the timely disclosure of the identities of breached companies and merchants;
  • measures to address violations of existing agreements and law by merchants and retailers who retain payment card information electronically;
  • notification of the account servicer or owner, including a financial institution, of any compromised personally identifiable information associated with the account;
  • a duty for any breached merchant or retailer to demonstrate all necessary precautions were taken to guard data.