November 01, 2017

NAFCU's 8th Hill testimony this year provides ways to curb data breaches

Leveling the playing field for all entities that hold consumers' personal financial information with the creation of a national standard for data security would greatly minimize the numbers and impact of data breaches, said NAFCU witness Debra Schwartz during congressional testimony Wednesday.

Schwartz, NAFCU Board treasurer and president and CEO of Mission Federal Credit Union (San Diego, Calif.), was testifying before the House Financial Services Subcommittee on Financial Institutions and Consumer Credit. Schwartz was the only financial institution representative offering testimony on the witness panel yesterday.

While many of the questions Schwartz fielded during the hearing addressed how consumers should be notified of data breaches, she noted that the real objective should be preventing data breaches from happening in the first place.

Throughout the hearing she stressed the effectiveness of the Gramm-Leach-Bliley Act (GLBA). GLBA, she said, "has been dynamic, scalable and flexible." She added that it works for all credit unions of all asset sizes and provides an excellent model for a national standard that all entities can follow.

She also said the Data Security Act of 2015 (H.R. 2205), introduced in the last Congress, was another strong solution to the ongoing problem of data security breaches. During Q&A with Rep. Andy Barr, R-Ky., Schwartz noted how H.R. 2205 did a "very nice job" at providing a level playing field for all entities involved in the safekeeping of consumers' personal data.

Barr also went on to discuss the increased costs community banks and credit unions in his district are incurring because of data security concerns and asked Schwartz her thoughts on the weakest link in the data security system. She said the weakest link is where the criminals are going to go and that currently is at the merchant level. She suggested that if the merchants just do some basic financial "hygiene" – such as clearing out old data that isn't needed any more – the incidents and impact of data breaches would likely be lessened.

Rep. Ed Royce, R-Calif., listed the cost various data breaches have caused credit unions in his area and asked Schwartz if those numbers rang true for her. She agreed, and said her credit union has spent $1.7 million so far this year on fraud costs.

Rep. Mia Love, R-Utah, also spent her time asking Schwartz about data breach costs and compliance, particularly if there was a way to enforce compliance. "If entities followed GLBA requirements, it's very possible the Equifax breach would have never happened," Schwartz said. Love asked if entities were held financially responsible for breaches that occur on their end, would we see fewer breaches happen? Schwartz responded, "no question," and Love said all entities need to "have some skin in the game."

NAFCU has been a leading advocate for national data security standards that hold all entities that handle personal financial data to the same standards as credit unions and other depository institutions. The association has repeatedly called for action to ensure that credit unions do not bear the cost of negligent data practices by any entity.

"I am proud of our advocacy team for all it has accomplished this year, including continuing to build the relationships that lead to credit union representatives testifying eight times before Congress," said Carrie Hunt, NAFCU's executive vice president of government affairs and general counsel. "We thank Debra Schwartz for being part of these efforts – it is imperative that legislators hear the impact their decisions will have on businesses and consumers. NAFCU and our members will continue to seek out opportunities to ensure issues affecting credit unions, like data security, are responsibly addressed."

In related news, the Senate Commerce, Science, and Transportation Committee will hold a hearing titled "Protecting Consumers in the Era of Major Data Breaches" Nov. 8. Witnesses include executives from Equifax, Yahoo!, Verizon Communications Inc. and Entrust Datacard Corp.