Not a week goes by without headline-grabbing news about a large company, university or government agency that has suffered a data breach potentially impacting thousands, if not millions of Americans. At an alarming rate, consumers' personal information is being exploited through credit card fraud and a host of identity theft schemes. The financial impact on credit unions is growing.
According to the Privacy Rights Clearinghouse, since February 2005, when data-mining company ChoicePoint divulged that it had accidentally sold data on 145,000 consumers to criminals, there have been more than 100 million instances in which Americans have had their personal data compromised due to data breaches and related mishaps.
Of course, all of those breaches translate into additional costs for credit unions. CUNA Mutual Group estimates that credit unions lost approximately $100 million in each of the last two years due to plastic card fraud. NAFCU's own Flash survey, conducted last month, found that 27% of credit unions responding reported one or more data breaches in the last year, and 86% said they had to replace credit, debit or ATM cards as a result. The average replacement cost per credit card was $6.60.
Recommended For You
Last year, Congress attempted to tackle the data security issue in a series of bills that ultimately bogged down over committee jurisdictional disputes. NAFCU was in the forefront of a joint effort by the financial services industry to set new national standards for data security, create new requirements for consumer notification and assign responsibility for the cost of making good on a breach to the party or parties responsible for causing it.
The new 110th Congress is off to fast start on this issue, and NAFCU is hopeful that the stumbling blocks that prevented passage of a bill in 2006 can be quickly overcome. In an ironic twist, the recent high-profile data breach at TJX, the Massachusetts-based parent of TJ Maxx and Marshalls, may help spur action since it essentially occurred in the backyard of House Financial Services Committee Chairman Barney Frank, D-Mass.
Chairman Frank, a vocal supporter of consumer protections, has said he thinks retailers like TJX are not doing enough to protect their customers' data and that they should bear more of the costs now incurred by credit unions and banks when canceling accounts, issuing new cards and dealing with the fallout from angry and confused consumers. In fact, Chairman Frank is expected to unveil his own data security bill in the very near future.
Chairman Frank's comments underscore the fact that merchants and retailers are not held to the same standards in protecting personal and sensitive data as financial institutions; indeed, they are virtually unregulated in this regard. That's one reason why NAFCU supports creating a uniform national standard to protect financial information. But NAFCU is also interested in making sure that these new standards do not create duplicative and additional layers of regulation for financial institutions. Credit unions must already comply with requirements under the Gramm-Leach-Bliley Act (GLBA) that specifically address data breaches. However, legislation marked up last year in the House Energy and Commerce Committee–and recently reintroduced–would create a new regulatory framework and make the Federal Trade Commission a kind of "super regulator" overseeing financial institutions as well as retailers. NAFCU believes the functional regulators such as NCUA should have authority over financial institutions, and we favor a safe harbor for those institutions already complying with the GLBA. Likewise, Chairman Frank has indicated that he supports regulations for data processors similar to the GLBA regulations for financial institutions. At the same time, NAFCU supports placing the financial burden for repairing the damages associated with a data breach on the entity responsible, whether it is the financial institution, retailer, data broker or any other third party. NAFCU believes that the entity at fault should be responsible for the costs associated with loss, notifying regulators, law enforcement officials and credit bureaus, in addition to the costs incurred by financial institutions in their efforts to protect consumers who have been adversely impacted by the security breach. Our hope is that Chairman Frank and other Financial Services Committee members will begin this year where they left off last year when they reported out the Financial Data Protection Act of 2006. That bill, supported by NAFCU, would have established a uniform national standard to protect sensitive financial information while also requiring that consumers be notified of breaches. In addition, the bill would have required regulations for all depository institutions to be written by their functional regulator using the GLBA as a model. While NAFCU sought a provision to ensure that credit unions and other financial institutions would be reimbursed for losses by the parties responsible for data breaches, that measure did not make it into the legislation.
On the Senate side, NAFCU supported the Data Security Act of 2006, and will again be working with the Banking Committee to get similar legislation introduced this year, a key provision of which was the creation of a safe harbor for financial institutions already in compliance with the GLBA.
Last year, issues of jurisdiction ultimately stymied movement on data security. A promising sign is that Chairman Frank and Commerce Chairman John Dingell, D-Mich., have already begun talking about how to work more closely together. Chairman Frank has said the two panels are trying to reach consensus on a national standard for protecting personal financial data.
NAFCU looks forward to working with Chairman Frank on his bill and renewing the effort to better safeguard consumer information and reduce the burden on credit unions faced with breaches caused by other parties.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.
