oWhen a breach occurs involving a merchant, the company provide useful and timely notice to financial institutions identifying the source and time of the breach, as well as the information that was compromised, as necessary for appropriate notification of consumers who may suffer substantial harm or inconvenience; oMerchants provide timely reimbursement to the consumer or financial institution for the cost of any notices and any losses they suffer; oFinancial institutions not be held liable if they reasonably conclude that misuse is unlikely because the information has been encrypted; and oStandards regarding data security requirements for the handling of personal and financial information should be uniform and provide adequate consumer protections.

CUNA also requested a review of regulation in this area to eliminate unnecessary burden.

NAFCU President/CEO Fred Becker echoed this sentiment, writing, "NAFCU member credit unions have raised concerns about the increasing level of responsibility being placed on financial institutions to prevent and mitigate identity theft and to bear the significant costs for fraud losses. NAFCU believes that the war against identity theft must be fought on several fronts and that there must be a coordinated effort to combat this crime. NAFCU strongly urges the Task Force to recommend increased liability for merchants, businesses, and other unregulated organizations that compromise consumer data security."

Becker highlighted that financial institutions are already covered under the Gramm-Leach-Bliley Act, the Fair and Accurate Credit Transactions Act, and multi-factor authentication requirements. "Thus, the continued prevalence of identity theft must not be attributed to the deficiencies of financial institutions. Rather, the problem lies with the unregulated businesses that fail to implement the necessary data security controls to adequately protect American consumers," he wrote. He noted that NAFCU's most recent Flash Report, which found that 27% of respondents experienced some form of a data security breach in 2005 or 2006 and that "most of these breaches occurred via merchants and processors." Among these credit unions, 86% reissued credit, debit, and/or ATM cards. In 2006, the average cost to credit unions for replacing each credit card was $6.60, and the average cost for replacing each debit card was $5.79, for an overall total of $4,600 in 2006 alone.

"Greater parity is crucial to ensuring that merchants and businesses are battling identity theft with the utmost vigilance, and that fraudsters are prevented from exploiting sensitive consumer data," Becker stated. He also emphasized nabbing the real bad guys, including strengthening criminal penalties. "NAFCU firmly believes that aggressive prosecution and tough punishment of identity thieves is crucial to eradicating this devastating crime," he concluded.

Changing the laws and regulations to place greater liability with the merchants and processors in identity theft is one area where credit unions and banks can work together.

ACB cautioned against overly restricting Social Security number usage, which are used for granting loans and other things. "We urge the Task Force to take into account any disruptions to the economy that might occur if use of SSNs were unduly restricted without an appropriate alternative being provided," ACB Payments and Technology Policy Director Stephen K. Kenneally wrote. "Banks recognize the importance of protecting private information while simultaneously using it in the normal course of business."

ACB backed national standards, as did the credit union groups. "A national standard would ensure that all consumers would have equal protection and allow businesses to focus on compliance with a single set of requirements. The growing patchwork of state laws and regulations increases the burden on entities maintaining the information, hurts the economy, and will not provide the most effective consumer protection," Kenneally said.

If consumer notice requirements are to be outlined in future legislation or regulations, he stated, "The entity that is responsible for the breach must be clearly identified to the consumer and bear the costs of notifying the customer, even if it is not the one sending the notice. Breaches caused by third parties involving credit cards subject banks that issued the cards to significant reputation risk, even when the bank is not responsible for the breach."

Kenneally continued, "In addition, ACB believes that the entity that is responsible for a data breach should bear the costs of protecting consumers, including reimbursing the banks the cost of canceling and reissuing credit or debit cards, as well as fraudulent charges to credit or debit cards."

The Identity Theft Task Force was established in May, including NCUA and other federal regulators, and has already issued an interim report. Though not required by law, it sought public input for its final recommendations to the president. –[email protected]