January 07, 2014

Post-Target-breach steps eyed in Compliance Blog

While NAFCU continues to press lawmakers for action on merchants' data security, credit unions can get some important tips now on how to manage the fallout of the Target Corporation data breach from the NAFCU Compliance Blog.

Alicia Nealon, a NAFCU regulatory compliance counsel, points out in today's blog post that the steps credit unions take may depend on how many credit and debit cards they issue, the types of data that are affected and the potential risk for fraud. Then there is the potential liability for unauthorized transactions.

"Both Regulation E and Regulation Z limit a member's liability for unauthorized transactions," Nealon writes. "[A]greements between the credit union and Visa and MasterCard typically require a ‘zero liability' for the member for unauthorized transactions. Accordingly, the liability often falls onto the credit union. To mitigate this risk, credit unions may make the business decision to reissue cards or close compromised accounts."

The problem of liability is one that NAFCU lobbyists continue to press in discussions with lawmakers in Washington.

Three Senate Banking Committee members – Democrats Bob Menendez of New Jersey, Chuck Schumer of New York and Mark Warner of Virginia – have all urged a hearing, and committee Chairman Tim Johnson, D-S.D., is reportedly considering such a hearing. Menendez, Schumer and Sens. Richard Blumenthal, D-Conn., and Patrick Leahy, D-Vt., have also called for Federal Trade Commission and CFPB investigations.

NAFCU, the first financial services trade association to call for congressional action on data protection, is urging that merchants be held accountable for data breaches on their end, pay for the associated costs and make timely disclosures of such breaches.

Credit unions can learn more about data security and related techology issues during NAFCU's Technology and Security Conference next month in Las Vegas.