|[December 19, 2013]
NAFCU Urges Congress to Tackle Data Security
WASHINGTON --(Business Wire)--
NAFCU today issued the following statement:
Below is NAFCU President and CEO Dan Berger's letter to House Speaker
John Boehner and Minority Leader Nancy Pelosi reiterating NAFCU's call
for Congress to tackle the issue of data security and to make it a
priority in 2014. Members of the United States House of Representatives
were copied on the letter.
This same letter was sent to Senate Majority Leader Harry Reid and
Minority Leader Mitch McConnell. Members of the United States Senate
were copied on the letter.
If you would like more information on this matter or would like to speak
about this with a NAFCU expert, please let me know.
of Federal Credit Unions
3138 10th Street North
Phone (News - Alert): 703-842-2235
The Honorable John Boehner
U.S. House of
Washington, D.C. 20515
U.S. House of Representatives
Re: Congress Must Make Data Security a Priority in 2014
Dear Speaker Boehner and Leader Pelosi:
On behalf of the National Association of Federal Credit Unions (NAFCU),
the only trade association exclusively representing our nation's federal
credit unions, I write today to reiterate our call for Congress to
tackle the issue of data security. As we first wrote to you back in
February of this year as part of NAFCU's five-point plan on regulatory
relief, we urge the House to tackle the issue of data security for
personally identifiable and financial information.
Just this morning, the Wall Street Journal reported Target (News - Alert)
Corporation confirmed that nearly 40 million credit card and debit card
accounts were compromised between November 27 and December 15, 2013.
Data affected in the breach includes customer names, credit and debit
card numbers, expiration dates, and CVV security codes. Now millions of
American consumers will spend the holidays worrying that their personal
financial data has been swiped because of where they did their holiday
shopping. This massive data breach follows a host of others in recent
years, not to mention smaller scale breaches that may not be picked up
by the national media.
Needless to say, the risk of a data breach continues to be a serious
problem for both consumers and businesses. Every time consumers choose
to use plastic cards for payments at a register or make online payments
from their accounts, they unwittingly put themselves at risk. Many are
not aware that their financial and personal identities could be stolen
or that fraudulent charges could appear on their accounts, in turn
damaging their credit scores and reputations. Consumers trust that
entities collecting this type of information will, at the very least,
make a minimal effort to protect them from such risks. Unfortunately,
this is no always true.
Financial institutions, including credit unions, have been subject to
standards on data security since the passage of Gramm-Leach-Bliley.
However, retailers and many other entities that handle sensitive
personal financial data are not subject to these same standards, and
they become victims of data breaches and data theft all too often. While
these entities still get paid, financial institutions bear a significant
burden as the issuers of payment cards used by millions of consumers.
Credit unions suffer steep losses in re-establishing member safety after
a data breach occurs. They are often forced to charge off fraud-related
losses, many of which stem from a negligent entity's failure to protect
sensitive financial and personal information or the illegal maintenance
of such information in their systems. Moreover, as many cases of
identity theft have been attributed to data breaches, and as identity
theft continues to rise, any entity that stores
financial or personally identifiable information should be held to
minimum standards for protecting such data.
Again, Target Corporation is just the latest in a string of several
large-scale data breaches impacting millions of American consumers. The
aftermath of these previous breaches demonstrate what we have been
communicating to Congress all along: credit unions and other financial
institutions - not retailers and other entities - are out front
protecting consumers, picking up the pieces after a data breach occurs.
It is the credit union or other financial institution that must notify
its account holders, issue new cards, replenish stolen funds, change
account numbers and accommodate increased customer service demands that
inevitably follow a major data breach. Unfortunately, too often the
negligent entity that caused these expenses by failing to protect
consumer data loses nothing and is often undisclosed to the consumer.
NAFCU urges Congress to make the issue of data security a priority in
2014, including convening hearings on the data protection standards of
merchants and what can be done to strengthen them. Furthermore, we
recommend Congress take action to enact provisions to protect consumers
from breaches that compromise their financial and personally
identifiable information. Data security is a common-sense bipartisan
issue that must be addressed.
With that in mind, NAFCU specifically recommends that the House make it
a priority to consider and act on the following issues related to data
Payment of Breach Costs by Breached Entities: NAFCU asks that
credit union expenditures for breaches resulting from card use be
reduced. A reasonable and equitable way of addressing this concern
would be to require entities to be accountable for costs of data
breaches that result on their end, especially when their own
negligence is to blame.
National Standards for Safekeeping Information: It is critical
that sensitive personal information be safeguarded at all stages of
transmission. Under Gramm-Leach-Bliley, credit unions and other
financial institutions are required to meet certain criteria for
safekeeping consumers' personal information. Unfortunately, there is
no comprehensive regulatory structure akin to Gramm-Leach-Bliley that
covers retailers, merchants and others who collect and hold sensitive
information. NAFCU strongly supports the passage of legislation
requiring any entity responsible for the storage of consumer data to
meet standards similar to those imposed on financial institutions
under the Gramm-Leach-Bliley Act.
Data Security Policy Disclosure: Many consumers are unaware of
the risks they are exposed to when they provide their personal
information. NAFCU believes this problem can be alleviated by simply
requiring merchants to post their data security policies at the point
of sale if they take sensitive financial data. Such a disclosure
requirement would come at little or no cost to the merchant but would
provide an important benefit to the public at large.
Notification of the Account Servicer: The account servicer or
owner is in the unique position of being able to monitor for
suspicious activity and prevent fraudulent transactions before they
occur. NAFCU believes that it would make sense to include entities
such as financial institutions on the list of those to be informed of
any compromised personally identifiable information when associated
accounts are involved.
Disclosure of Breached Entity: NAFCU believes that consumers
should have the right to know which business entities have been
breached. We urge Congress to mandate the disclosure of identities of
companies and merchants whose data systems have been violated so
consumers are aware of the ones that place their personal information
Enforcement of Prohibition on Data Retention: NAFCU believes it
is imperative to address the violation of existing agreements and law
by merchants and retailers who retain payment card information
electronically. Many entities do not respect this prohibition and
store sensitive personal data in their systems, which can be breached
easily in many cases.
Burden of Proof in Data Breach Cases: In line with the
responsibility for making consumers whole after they are harmed by a
data breach, NAFCU believes that the evidentiary burden of proving a
lack of fault should rest with the merchant or retailer who incurred
the breach. These parties should have the duty to demonstrate that
they took all necessary precautions to guard consumers' personal
information but sustained a violation nonetheless. The law is
currently vague on this issue, and NAFCU asks that this burden of
proof be clarified in statute.
On behalf of our nation's credit unions and their 97 million members we
thank you for your attention to this important matter. If my staff or I
can be of assistance to you, or if you have any questions regarding this
issue, please feel free to contact myself, or NAFCU's Vice President of
Legislative Affairs, Brad Thaler, at (703) 842-2204.
B. Dan Berger
President and CEO
cc: Members of the United States House of Representatives
[ Back To Technology News's Homepage ]