Credit unions should not have to "foot the bill" when merchants and other companies fail to adequately protect customer information, Kim Sponem, president/CEO of Summit Credit Union told a House subcommittee Wednesday.
"The current state of the law does not put enough responsibility on those handling this sensitive customer information to properly safeguard it," she said, in testimony prepared for the House Financial Institutions Subcommittee, on behalf of CUNA. "Any future legislation must address this lack of responsibility and accountability."
And she added that merchants and others should have to bear the cost resulting from data breaches. Summit is one of the plaintiffs suing Equifax over its huge data breach.
Recommended For You
Congress has been struggling with how best to handle data breach legislation while attempting to balance the needs of consumers, merchants and financial institutions. The issue has even become a turf battle between House committees, where the House Energy and Commerce Committee is viewed as being more favorable to merchants' arguments and the Financial Services being viewed as more favorable to the arguments of financial institutions.
Sponem told the subcommittee that without enhanced data security protections for everyone involved inn the payments process, there is unlikely to be any slowdown in data breaches.
She said that federal law requires financial institutions to develop procedures to protect consumer information from theft.
"Merchants are not subject to similar requirements at the federal level and the existing state laws do not do enough to protect consumers," said Sponem, whose credit union is located in Madison, Wis. and has more than $2.9 billion in assets.
Sponem acknowledged that there have been concerns about the ability of smaller merchants to maintain data security programs but added that if banks and credit unions can comply with such requirements, small merchants are likely to be able to do the same.
She said that the data breach problem is compounded by a lack of a uniform standard for consumer notification when a breach occurs.
"Merchants and other entities that possess payment card and other personal information should take responsibility for their systems and ensure that consumers and other stakeholders are properly notified when a data breach occurs, just as financial institutions are required to do," she said.
"Because of the lack of a uniform notification requirement, consumers are often unaware a data breach has occurred and may never learn that their personal information has been stolen or lost," she said.
Prior to the hearing, NAFCU Vice President of Legislative Affairs wrote the subcommittee calling for an updated federal law that would require merchants and others to bear the cost of data breaches they cause, a national standard for safe keeping, disclosure requirements, among other things.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.
