Newsroom

January 08, 2014

Senators ready bills in wake of Target breach

Two bills on data security have emerged in the Senate following weeks of urging by NAFCU in the wake of the Target Corporation data breach.

On Wednesday, Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., reintroduced a data privacy bill and said on the Senate floor that the issue would be addressed in a committee hearing early this session.

Senate Homeland Security and Government Affairs Committee Chairman Tom Carper, D-Del., also said he plans to reintroduce a NAFCU-backed measure that would subject retailers to some of the same data security requirements in place now for financial institutions.

Writing the House and Senate last month, NAFCU President and CEO Dan Berger urged passage of a series of measures long sought by NAFCU, including:

  • a requirement that merchants be accountable for costs of breaches on their end;
  • a requirement that any business entity responsible for the storage of consumer data meet standards similar to the Gramm-Leach-Bliley Act requirements for credit unions and other financial institutions;
  • a requirement that merchants post their data security policies at the point of sale if they take sensitive financial data;
  • a requirement for the timely disclosure of the identities of breached companies and merchants;
  • measures to address violations of existing agreements and law on electronic retention of payment card information;
  • notification of the account servicer or owner of any compromised personally identifiable information associated with the account;
  • a duty for any breached merchant or retailer to demonstrate all necessary precautions were taken to guard data.

Leahy's bill is cosponsored by Sens. Al Franken, D-Minn., Chuck Schumer, D-N.Y., and Richard Blumenthal, D-Conn. It would, among other things, set criminal penalties for willfully concealing a security breach of personal data when it causes economic damage to consumers.

Credit unions will learn more about growing threats of third-party data breaches next month during NAFCU's Technology and Security Conference in Las Vegas.