Given the growing number of data breaches at our nation’s merchants, it makes sense to address the lack of national data security and breach notification standards for retailers now. As he gives his State of the Union speech, we hope President Obama will build on his recent focus on cybersecurity and data security, and work with Congress to advance critical data security legislation.
Data breaches are taking a huge toll on Americans and our economy.
• Based on CNN Money data, almost half of all Americans have been hacked in the last year.
• In 2014, the number of U.S. data breaches hit a record high of 783, a 27.5 percent increase over the previous year, according to a recent report by the Identity Theft Resource Center.
• Since the data breach at Target, a major breach has been discovered almost every month, including at Home Depot, Michaels stores, Sally Beauty Supply, Neiman Marcus, AOL, eBay, P.F. Chang’s China Bistro, SuperValu, Dairy Queen, Jimmy John’s and more.
• The National Association of Federal Credit Unions (NAFCU) estimates show the Target breach will cause financial institutions to lose nearly $500 million in card replacement costs and other expenses.
{mosads}Financial institutions, including credit unions, have been subject to effective standards on data security since the passage of the Gramm-Leach-Bliley Act in 1999. We hope to see retailers and many other entities that handle sensitive personal financial data of our nation’s consumers held to the same type of standard, without subjecting financial institutions to any new onerous or duplicative regulations.
We believe national data security and breach notification standards, for all segments of the payments system, are essential for any program to succeed in keeping consumers’ personal and financial data as safe as possible. Holding retailers that accept electronic payment transactions to proven standards like those set under the Gramm-Leach-Bliley Act makes sense for everyone.
Credit unions — not-for-profit, member-owned financial institutions — are on the front lines assisting their 100 million members in the wake of ongoing data breaches.
In the event of a merchant data breach, they must notify accountholders, issue new cards, replenish stolen funds, change account numbers and accommodate the increased customer service demands that follow. They do this to protect their members, often at great expense, without help or compensation from the breached entity.
They are often forced to charge off fraud-related losses, many of which arise from a negligent entity’s failure to protect sensitive financial information or from its illegal maintenance of data.
Many retailers continue to push for the adoption of chip-and-PIN technology, but many financial institutions are already moving toward this goal ahead of the October 2015 deadline for implementation.
While we support such advances, chip-and-PIN is not a panacea. Most of the major retailer data breaches have been executed through malware; chip-and-PIN would not have prevented them. Also, chip-and-PIN technology does not protect against online fraud. An October 2014 Javelin study shows online card fraud will rapidly increase despite the U.S. transition to the new technology.
The NAFCU was the first financial trade organization to call for national data security standards for retailers in the wake of the massive Target breach, and we continue to push for legislative action.
The association is calling on Congress to do the following:
• Require merchants to pay for the costs of breaches on their end, particularly when negligence is in play.
• Require any business entity responsible for storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.
• Require merchants to post their data security policies at the point of sale if they take sensitive financial data.
• Require timely disclosure of the identities of breached companies and merchants.
• Enforce data retention prohibitions in existing agreements and establish statutory standards prohibiting retailers’ retention of payment card information.
• Require merchants to notify the account servicer or owner, including a financial institution, of any compromised personally identifiable information associated with the account.
• Require any breached merchant or retailer to demonstrate all necessary precautions have been taken to safeguard data.
We recognize cybersecurity and data security are complicated issues, so we also think it’s time Congress established a bipartisan, bicameral working group to tackle them.
This group would help develop legislative proposals to help prevent the kinds of massive data breaches that have exposed tens of millions of consumers’ debit and credit cards to fraudulent activity in recent months. We hope Obama’s speech helps create the impetus for action. We must break the legislative logjam and establish data security standards for retailers to help make Americans’ data security safer now.
Berger is president and CEO of the National Association of Federal Credit Unions.