Credit unions already have a great deal of requirements to comply with to protect data security and any additional laws should focus on regulating those entities that aren’t regulated. That’s the message Air Academy FCU Glenn Strebe gave during testimony before a House subcommittee today.
“The best way to move forward and address data breaches is to create a comprehensive regulatory scheme for those industries that are not already subject to oversight. At the same time, the oversight of credit unions, banks and other financial institutions is best left to the functional financial institution regulators that have experience in this field. By and large, financial institutions, especially credit unions, have not been the source of significant data breaches,’’ he told the House Small Business Committee’s Subcommittee on Healthcare and Technology.
Strebe, who testified on behalf of NAFCU, said the association backs pending legislation that would require additional security standards for personal and account information and mandate notification procedures if there is a data security breach.
Credit unions have in recent years had to deal with the costs of responding to the results of data breaches at merchants and vendors. Strebe said his own credit union is “relentless,’’ about protecting data and has never been hacked from the outside and no member’s sensitive information has ever been accessed without authorization.
He said they have achieved this success with a 13-point security plan that costs around $300,000 per year to maintain.
Strebe, whose credit union has $420 million in assets and $42,000, said any law to improve cyber security should include: Have merchants pay the costs when they experience a data breach; mandate that merchants display their data security policy; and mandate a procedure for disclosing which companies have had a data breach.
In a letter to the subcommittee, CUNA President/CEO wrote that merchants have many fewer requirements than credit unions when it comes to data security.
“Merchants are not subject to federal data security requirements, nor are they financially liable for damages. In some cases, merchants do not even face reputational risk as a result of a breach because they are not required, under federal law, to disclose a breach,’’ he wrote. “Until there are consequences to these bad actions, voluntary standards will not be sufficient to protect consumers.’’ce