Sitting ducks no longer: It’s past time to protect our data

In today’s world, it is nearly impossible to keep your personal information personal. When it comes to financial data, consumers are increasingly exposed and run the risk of their personal information getting into the wrong hands with each use of a credit or debit card.

Since data breaches are falling into the category of everyday news, we need to work toward implementing a national data security standard. Consumers deserve to be protected, and our nation’s credit unions — those that serve the financial needs of these consumers — are asking for help from every entity that collects and stores personal financial information. 

{mosads}As of late October, there have been 1,120 recorded data breaches so far this year, according to the Identity Theft Resource Center. For comparison, in all of 2016, there were 1,091 data breaches. 

In just the past few months alone, we’ve seen 145 million consumers’ information compromised in the Equifax data breach. This is in addition to the countless other consumers who have had their personal financial data exposed by restaurant and hotel chain breaches. 

While there is no one easy solution to the growing number of data breaches, there are options available that could greatly diminish their frequency. One is to impose accountability; if a data breach occurs, the impacted entity should own the responsibility to make it right. 

This is the message Debra Schwartz, National Association of Federally-Insured Credit Unions (NAFCU) Board treasurer and president and CEO of Mission Federal Credit Union (San Diego, Calif.), gave to a House Financial Services subcommittee Wednesday during a hearing.

Policymakers know that better data protection is essential for effective consumer protection, but this issue goes beyond protecting consumers. Whenever any entity is breached, credit unions and other financial institutions are on the hook for the costs of replacing payment cards and making consumers whole again. 

Debra Schwartz of @MissionFed testifying for @NAFCU at Congress today – sharing the CU perspective on cybersecurity. #LetEmKnow #CUs pic.twitter.com/aLW7iCYFUR

— Elizabeth LaBerge (@EMYLaBerge) November 1, 2017

While credit unions will always do what it takes to serve their members, these costs arise frequently, and they are significant — especially for smaller financial institutions.

This June, a NAFCU survey of its members found that data breaches continue to be costly to the industry. Survey respondents noted that they were alerted about a possible breach to their member’s financial data an average of 189 times in 2016 — an increase over the amount of 2015 alerts for most respondents.

Respondents also estimated that merchant data breaches in 2016 alone cost each credit union approximately $362,000 in direct and indirect costs, including expenses related to monitoring, reissuance, fraud investigation or losses and insurance.

In light of the devastation data breaches cause to consumers and financial institutions, NAFCU and the credit union members we represent across the nation urge Congress to hold all entities to the same federal data standards that financial institutions follow under the Gramm-Leach-Bliley Act.

In addition, they emphasize that any comprehensive data security legislation would:

• require that entities be accountable for costs of data breaches that happen on their end;
• set national standards for those who collect and hold consumers’ personal and sensitive information;
• require that merchants post their data security policies at the point of sale if they take sensitive financial data;
• require timely disclosures of the identities of entities whose data systems have been violated;

• enforce existing agreements and laws for those entities and retailers who retain payment card information electronically;
• require that entities such as financial institutions be added to the list of those to be informed of any compromised personally identifiable information when associated accounts are involved; and

• impose the evidentiary burden of proving a lack of fault on the entity or retailer who incurred the breach.

Work on data and cybersecurity is ongoing, and hopefully, measures will be passed by Congress to ensure a level playing field for all those who hold onto consumers’ personal data. Credit unions’ priority has always been and will continue to be the well-being of their 110 million member-owners.

Data breaches show no sign of slowing down. It is incumbent on us to take the necessary steps to protect consumers with a national data security standard.

B. Dan Berger is president and CEO of the National Association of Federally-Insured Credit Unions.