CUNA, NAFCU Call Out Data Security Bill Flaws
CUNA and NAFCU have called on lawmakers to address what a retailer’s responsibility will be for the cost of a data breach on their system as part of a data security bill that’s currently being considered by a House committee.
The House Commerce, Manufacturing and Trade Subcommittee marked up the Data Security and Breach Notification Act of 2015 on Wednesday. The bill has advanced to the full House Energy and Commerce Committee.
Meanwhile, the National Retail Federation has been advocating for financial institutions to embrace chip and PIN credit cards to combat fraud.
NAFCU Vice President of Legislative Affairs Brad Thaler said retailers should be required to help pay for the cost of a breach that occurs under their watch.
“Liability requirements should be put on merchants if they are responsible for a breach,” he said. “We ultimately want to see the bill strengthened as it moves through the process and we continue to urge the full committee to do that when the bill arrives.”
Thaler said NAFCU supported a manager’s amendment to the bill in the subcommittee markup that included language exempting federal and state chartered credit unions from additional data security requirements.
“They would not be covered under the new requirements of the act,” Thaler said. “Our argument has been that credit unions are subject to Gramm-Leach-Bliley Act protections already, and we don’t want to see new regulatory burdens put on them. The retailers need to be brought up to par to the standards financial institutions already have in terms of protecting financial and personal data.”
John McKechnie, partner at the Washington-based consulting firm Total Spectrum, said the bill is a step in the right direction but not ideal for credit unions.
“There is much more to be done, especially in the area of national standards for data protection and financial accountability for negligent retail businesses,” he said. “Credit unions have to insist that Congress tackle data security sooner rather than later. They should have done something last year, and consumers can’t afford more delay.”
Read more: CUNA Chief Advocacy Officer Ryan Donovan believes the bill does not improve data security as it stands...
CUNA Chief Advocacy Officer Ryan Donovan said credit unions have not been reimbursed for any of the costs related to the Target breach. He argued that the bill does little to improve the situation in its current form.
“There is no liability for merchants that don’t follow data security standards, which is another one of our concerns with the legislation,” he said. “Basically, all the bill says is there should be responsibility standards. OK well, what does that mean? Who is going to define what that means and what are the consequences if you don’t follow the standards?”
Mallory Duncan, the senior vice president and general counsel at the NRF, said merchants already pay more than their share of costs resulting from breaches and fraud. When asked about the Target data breach, Duncan said he was not sure if credit unions have been reimbursed for any of the resulting costs.
“It’s not surprising that banks and credit unions would like someone else to pay for problems in their system that they are not willing to fix,” he said.
Duncan said card issuers are relying on nothing more than 20 numbers, a name and a signature.
“That may have been a great product half a century ago when it was introduced,” he said. “But in a world where everybody has a card and people are traveling, what is the likelihood that anyone knows your signature when you walk in the store?”
According to Duncan, the NRF has been asking financial institutions for more than 10 years to improve card technology. He argued that financial institutions have been unwilling to upgrade their systems in a meaningful way.
“Instead, they have said, no, let’s put the responsibility on other people, and they have asked the merchants to pay for PCI, which is proven to be woefully ineffective,” he said. “And they have asked merchants to pay higher rates of swipe fees, a portion of which the Fed already gives them to cover the cost of fraud.”
Duncan also said financial institutions’ resistance to PIN verification makes the credit cards more susceptible to fraud.
“You put all that together and they turn around and say we [retailers] should pay even more to protect their fraud-prone system,” he said. “They must be smoking something.”
While PIN verification would not have prevented the Target breach from occurring, Duncan said it would have made the stolen cards unusable when they were cloned.
“The thieves would not have had the PINs,” he said. “The breach would have occurred, but if the product of the breach is not usable, what difference does it make?”
CUNA and NAFCU have pointed out that the stolen information from the Target breach would still be usable online, despite PIN verification.
“They’re putting their heads in the sand on this because the reason it doesn’t help online is they told the world they were going to issue EMV cards, and asked merchants to go out and buy chip and PIN readers at a great expense,” Duncan said. “Then, they introduced chip and signature cards, so they introduced cards that are only halfway protective.”