Cybersecurity Legislation Holds Retailers Accountable
It is difficult to fathom that it has been almost two years since the massive Target data breach in December 2013 and that, despite the barrage of other retail breaches since, we still have no data security standards for retailers. Sadly, consumers are all vulnerable, and the tab for credit unions just keeps mounting.
As of June 9, the Identity Theft Resource Center had already recorded 348 breaches, with more than 107 million records exposed in 2015. If the beginning of 2015 is any indication, this year may surpass 2014 with even more data breaches. Cybercriminals are growing increasingly brazen. This year, there was a second breach at Sally Beauty Holdings, Inc.
As Congress continues to review cybersecurity and data security issues, it should keep in mind that consumers’ sensitive financial information will be ripe for cyberattacks as long as retailers lack national data security standards.
In April, I testified before the House Small Business Committee on data security, in a hearing titled “Small Business, Big Threat: Protecting Small Businesses from Cyber Attacks.” In my testimony, I detailed how credit unions have successfully minimized data breaches and why it's important that others do the same. I covered the myriad steps that credit unions take to protect their systems and safeguard their members’ sensitive personal and financial information.
The fact is that no amount of diligence on the part of financial institutions will help prevent future data breaches from wreaking havoc on consumers until retailers are held accountable to a strong federal benchmark outlining information safekeeping standards.
Additionally, I noted that, according to Symantec's 2015 Internet Security Threat, more than 317 million new pieces of malware were created in 2014, and breaches were up 23% from 2013. While large companies across all sectors are still a prime target, 60% of all targeted attacks struck small and medium-sized companies last year.
Indeed, a recent New York Times article, “Hackers Go After Little Fish, Too, While Trawling for Credit Cards,” highlighted the fact that cybercriminals are now targeting small businesses as much as the larger retailers. This confirms what we have known all along. Cybercriminals will attack any retail outlet in the hopes of gaining access to consumers’ valuable personal information.
I hope that the news of this development adds some much needed urgency to the pending legislation on data security.
The bipartisan S. 961, the “Data Security Act of 2015,” introduced recently by Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.), and H.R. 2205, the companion House bill introduced by Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.) is the ideal bill currently before Congress that would set a national data security standard for retailers akin to the Gramm-Leach-Bliley Act while acknowledging financial institutions’ existing adherence to GLBA standards.
The GLBA and its implementing regulations have successfully limited data breaches among financial institutions, and this standard has a proven track record of success since its enactment in 1999. This record of success is why we believe any future requirements must recognize this existing national standard for financial institutions such as credit unions.
Credit unions and their 100 million members have been hit particularly hard by ongoing merchant data breaches. Credit unions reissue cards, incur fraud losses and do everything they can to assist members who may be struggling with identity theft and other life changing events due to a retailer's negligence.
Given the importance of getting the legislation right on this critical issue, I cannot impress upon you enough the need for you to contact your lawmakers to make sure they know S.961 and H.R. 2205 offer the solution needed to address data breaches. This is an opportunity for us to make sure that the right legislation gets passed on this critical issue. While NAFCU has been busy on the Hill advancing credit unions’ perspective on this legislation, we need your representatives to hear from you directly on this critical issue. Together, our voices are stronger and we hope we can bring the much needed data security standards for retailers to fruition.
B. Dan Berger is president/CEO of NAFCU. He can be reached at 703-522-4770 or firstname.lastname@example.org.