WASHINGTON -- Credit Unions have once again traveled to Capitol Hill in an attempt to build a case for increased federal regulation of card data security, this time at a hearing before the Subcommittee on Finance and Tax of the House Small Business Committee.
Speaking on behalf of NAFCU, Chairman John Milazzo, CEO of the $332 million Campus Federal Credit Union, which is headquartered in Baton Rouge, Louisiana, told the subcommittee everyone has been hurt by the continuing waves of data breaches.
"Data breaches are a significant problem for consumers and businesses alike," Milazzo told the subcommittee. "The Federal Trade Commission estimates costs to be in the millions of dollars each year for new account losses. NAFCU believes the most efficient way to address the growing number of data breaches is to create a comprehensive regulatory system for those entities that currently have none."
Milazzo blamed an approach to the issue which had not laid accountability for the breaches where it belongs for the continued data security problem.
Milazzo said there are two key reasons why those who currently hold sensitive information do not safeguard it sufficiently. First, the cost associated with the data breach is paid by others. Second, consumers mistakenly assume the financial institutions repairing the situation, i.e., issuing new cards or notifying them of the breach, are responsible for the security breach.
According to Milazzo, recent analysis indicates that credit unions have incurred over $100 million in payment card fraud in each of the last two years. He added this cost is ultimately borne by the credit union members in the form of higher interest rates on loans, lower dividends on savings and other reduced services.
Credit unions and other financial institutions already protect sensitive data as a result of the Gramm-Leach-Bliley Act (GLBA). Milazzo said that any new legislation should provide a safe harbor for financial institutions already in compliance with section 501(b) of Title V of the GLBA. "Failing to do so would place an undue burden and cost on financial institutions that would be forced to update existing systems," Milazzo argued. "Moreover, NAFCU believes if more regulations are needed to address new concerns, it should be the functional regulators that are charged with promoting the new rules."
Milazzo further stated that NAFCU believes that any bill approved by Congress should include language to reimburse, in a timely manner, affected financial institutions for the direct cost they incur due to a data security breach that was not their fault.
Federal action on the data breach question has been held up in a series of battles over jurisdiction and responsibility.