Last week, Target Corporation confirmed that nearly 40 million credit card and debit card accounts were compromised between November 27 and December 15. One estimate of the cost of the data breach has been projected at $680 million. This news should be a wake-up call to consumers and policymakers alike that more needs to be done to protect the data affected in the breach including customers' names, credit and debit card numbers, expiration dates, and CVV security codes. This massive data breach follows a host of others in recent years, not to mention smaller scale breaches that may not have been reported in the media.
Many consumers may not realize that data breaches can happen at any retailer, big or small. The risk of a data breach is a serious problem for both consumers and community-based financial institutions like credit unions. Every time consumers choose to use plastic cards for payments at a register or make online payments from their accounts, they put themselves at risk. Many are not aware that their financial and personal identities could be stolen or that fraudulent charges could appear on their accounts, in turn damaging their credit scores and reputations. Consumers trust that entities collecting this type of information will, at the very least, make a minimal effort to protect them from such risks. Unfortunately, this is not always true -- and there are few laws requiring retailers to make such an effort.
Financial institutions, including credit unions, have been subject to data security standards since the passage of the Gramm-Leach-Bliley Act in 1999. However, retailers and many other entities that handle sensitive personal financial data are not subject to these same standards. Financial institutions bear a significant burden as the issuers of payment cards used by millions of consumers. Credit unions suffer steep losses in re-establishing member safety after a data breach occurs. It is the credit union or other financial institution that must notify its account holders, issue new cards, replenish stolen funds, change account numbers and accommodate increased customer service demands that inevitably follow a major data breach. They are often forced to charge off fraud-related losses, many of which stem from a negligent entity's failure to protect sensitive financial and personal information or the illegal maintenance of such information in their systems.
As cases of identity theft continue to rise, any entity that stores financial or personally identifiable information should be held to minimum standards for protecting such data.
With that in mind, NAFCU specifically recommends that Congress make it a priority to consider and act on the following issues related to data security:
• Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches resulting from card use be reduced. A reasonable and equitable way of addressing this concern would be to require entities to be accountable for the costs of data breaches on their end, especially when their own negligence is to blame.
• National Standards for Safekeeping Information: It is critical that sensitive personal information be safeguarded at all stages of transmission. Unfortunately, there is no comprehensive regulatory structure akin to the Gramm-Leach-Bliley Act that covers retailers, merchants and others who collect and hold sensitive information. NAFCU strongly supports the passage of legislation requiring any entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.
• Data Security Policy Disclosure: Many consumers are unaware of the risks they are exposed to when they provide their personal information. NAFCU believes this problem can be alleviated by requiring merchants to post their data security policies at the point of sale if they take sensitive financial data. Such a disclosure requirement would come at little or no cost to the merchant but would provide an important benefit to the public at large.
• Notification of the Account Servicer: The account servicer or owner is in the unique position of being able to monitor for suspicious activity and prevent fraudulent transactions before they occur. NAFCU believes that it would make sense to include entities such as financial institutions on the list of those to be informed of any compromised personally identifiable information when associated accounts are involved.
• Disclosure of Breached Entity: NAFCU believes that consumers have the right to know which business entities have been breached. We urge Congress to mandate the disclosure of identities of companies and merchants whose data systems have been violated so consumers are aware of the ones that place their personal information at risk.
• Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the violation of existing agreements and law by merchants and retailers who retain payment card information electronically. Many entities do not respect this prohibition and store sensitive personal data in their systems, which can be breached easily in many cases.
• Burden of Proof in Data Breach Cases: NAFCU believes that the evidentiary burden of proving a lack of fault should rest with the merchant or retailer who incurred the breach. These parties should have the duty to demonstrate that they took all necessary precautions to guard consumers' personal information but sustained a violation nonetheless. The law is currently vague on this issue, and NAFCU asks that this burden of proof be clarified in statute.
Bottom line: NAFCU urges Congress to make the issue of data security a priority in 2014 and enforce a stricter standard on merchants and retailers to protect consumers from breaches that compromise their financial and personal information. Based on current standards, the question is not if consumers' data will be compromised again but when.