WASHINGTON -- The same problems of divided jurisdiction and a divided overall card industry continue to bedevil efforts to draft federal legislation to confront the ongoing problem of card data security, while credit union frustration with the problem has continued to rise.
"I have to say that this problem has sent me to anger management classes," said James Blake, CEO of the $1.3 billion HarborOne Credit Union, headquartered in Brockton, Mass., to a standing room only crowd at Data Security: Whose Responsibility?, a break out session at CUNA's Governmental Affairs Conference.
Blake was only half joking as he railed against what he called the "unbelievable arrogance" demonstrated by the TJX Corporation retail chain in the way they mishandled their card data and its security.
TJX, based in Massachusetts, is the parent company for TJ Maxx and other retail brands in the U.S. as well as Canada and the United Kingdom. The company is the source of the latest round of card security breaches and recently announced that the breaches have been more widespread and deeper than it had first believed.
Blake went out of his way to castigate the company and its leadership.
TJX made a calculation, Blake said, that it was cheaper to not pay the millions of dollars it was going to take to upgrade card data security and to let the consumers and financial institutions remain open to long-term risk than to keep consumers safe.
He also noted that research he had conducted with records from the Security and Exchange Commission revealed the company's executives were rewarded on the basis of company performance and he speculated whether there had not been a conflict of interest.
"It's not hard to see if the costs of fixing the security problem might undermine the company's earnings and their own pay that the leaders might not have been in a hurry to correct the problem," Blake said.
Some experts have estimated more than 100 million card accounts across the U.S. have been touched by a card security breach. To illustrate how widespread the problem had become, Blake had everyone in the audience raise their hand and then asked them to put their hands down as they heard the name of a retailer, company, or government agency with whom they had some relationship. He proceeded to name firms and agencies that had card breaches. While there was one person who lasted a relatively long way into the list, until Blake reached Blue Cross and Blue Shield, most of the audience put their hands down far sooner.
Blake and subsequent speakers from the audience also focused their ire on Visa and MasterCard, charging that by not enforcing their contracts on the retailers or their transaction acquirers, the companies were in danger of undermining the whole card payments system.
"Essentially, when it comes to card security, a consumer can't count on anything when they see a Visa or MasterCard logo in a store. It's become a joke, Blake said.
But while the audience seemed frustrated, there was far less consensus on what could or should be done to correct the problem.
While Massachusetts and several other states have legislation in the works to confront the problem and ensure that those responsible for the breaches pay for the damage, Larry Blanchard, senior vice president of CUNA Mutual Group, said the issues of divided jurisdiction hampered the effort to craft a federal response to the problem in the last Congress, and it is still a problem.
It is not clear which congressional committee will take the lead on the issue or which federal agency will take the lead in enforcing whatever federal law might be passed. This is particularly significant because, until the jurisdiction questions have been answered, any legislation remained unlikely, Blanchard indicated.
He noted that CUNA Mutual and credit unions interested in the topic had met with Rep. Barney Frank (D- Mass), chairman of the House Committee on Financial Services, and found him supportive. Blanchard said the credit union group made it clear to Frank that the industry wanted a very clean bill, not a "Christmas tree-like" piece of legislation that might be filled with extraneous issues like card interchange and other issues.
Getting such a bill will be a significant challenge since there will need to be support from the banks and the retailers to resolve the conflict over jurisdiction. In exchange for their support, those groups may want the bill to become exactly the sort of "Christmas tree" legislation that Blanchard indicated credit unions were anxious to avoid.
Further, there is still the problem of significance. While the card security breaches have been a very big problem for many credit union card programs and some small banks, they have been not been considered as big a problem for the larger banks and the card associations who have generally seen them as the cost of doing business. As long as that attitude prevailed, it was going to be very difficult to move on the problem.
But Frank Liddy, a partner with Enterprise Security Solutions, a division of Unisys, pointed out that the company's research had found a type of fraud, which he called "low and slow" fraud, that could begin to make the card brands and larger banks get more energized on the issue.
In "low and slow" frauds, small amounts of money, small enough not to trigger most neural networks are charged onto card accounts and are also unlikely to be caught before they rack up serious losses. "These losses and the way they might be able to defeat current prevention programs may bring more larger banks along," he said. A Credit Union Card Brand?
Several session participants put forward ideas for ways that credit unions could counter the problem on their own.
One credit union executive said her credit union had been including their cardholders' state and local legislators contact information with the letters that informed members of the card security breach and the need to issue new cards.
Blake seconded the idea and said HarborOne had also done that, but he also suggested credit unions consider founding their own card brand, available to their 90 million members, to compete with the other card brands with an assurance of consumer safety. "If Discover could do it, we should at least consider it," Blake said. --firstname.lastname@example.org