Cybercrime Thrives Amid Lack of National Data Security Standards for Retailers

Six months ago, the nation first learned of what is one of the largest breaches of consumer data in American history when news broke of a massive data breach at Target stores during the holiday shopping season. In the time since, the absence of action to create national data security standards for retailers has allowed cybercriminals to enjoy an open season on consumer data. Unfortunately, both consumers and their financial institutions, like credit unions, are paying the price.

Six months after the Target data breach, the statistics are staggering:

• Since Target's data breach, there has been a major data breach discovered almost every month, with breaches reported at Michaels Stores, Sally Beauty Supply, Neiman Marcus, AOL, eBay, and P.F Chang's Chinese Bistro.
• Based on a recent Ponemon Institute survey, an estimated 47 percent of all American adults have been affected by data breaches over the last year, with an estimated 432 million online accounts being affected.
• According to the Identity Theft Resource Center, there were more than 600 reported data breaches in 2013 - a 30 percent increase over 2012.
• A recent Javelin Strategy & Research report (December 2013) found that financial institutions are doing a much better job than retailers when it comes to credit card security.
• According to the Verizon 2013 Data Breach Investigations Report, a breakdown of incidents across industries actually resulting from network intrusions, the retail industry was the number one target, with nearly 22 percent of network intrusions occurring at retailers.
• Cybercrime is costing the global economy $575 billion and the U.S. economy $100 billion annually, according to a report from Intel Security and the Center for Strategic and International Studies - making the U.S. the hardest hit of any country.
• The latest Javelin study, "2014 Data Breach Fraud Impact Report: Consumers Shoot the Messenger and Financial Institutions Take the Bullet," confirms that although financial institutions are the ones that often notify the cardholder of the breach, they are the ones that consumers associate with the breach, even if they were not responsible for it.

NAFCU was the first financial trade organization to call for national data security standards for retailers, and it continues to push for legislative action on Capitol Hill. While there have been numerous congressional hearings and a lot of "talking" on data security by various groups, consumers are still vulnerable as there are still no national data security standards for retailers. Credit unions and banks are already subject to such standards under the Gramm-Leach-Bliley Act, but retailers are not and have been actively opposing efforts to extend federal standards to them.

Unfortunately, the groups representing retailers continue to try to distort the truth about data breaches and push "chip-and-pin" technology as a panacea for data breaches. It is not. Most of the major data breaches have been engineered through malware, so no "chip-and-pin" technology would have prevented them.

Meanwhile, financial institutions continue to pick up the tab for data breaches. NAFCU estimates that the Target breach could end up costing the credit union community nearly $30 million. Unfortunately, credit unions will likely never recoup much of this cost, as there is no statutory requirement making retailers accountable for costs associated with breaches that result on their end.

NAFCU continues to recommend that Congress make the following priorities in any legislation and act on the following issues related to data security:

• Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches resulting from card use be reduced. A reasonable and equitable way of addressing this concern would be to require entities to be accountable for costs of data breaches that result on their end, especially when their own negligence is to blame.

• National Standards for Safekeeping Information: It is critical that sensitive personal information be safeguarded at all stages of transmission. Under Gramm-Leach-Bliley, credit unions and other financial institutions are required to meet certain criteria for safekeeping consumers' personal information. Unfortunately, there is no comprehensive regulatory structure akin to Gramm-Leach-Bliley that covers retailers, merchants and others who collect and hold sensitive information. NAFCU strongly supports the passage of legislation requiring any entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.

• Data Security Policy Disclosure: Many consumers are unaware of the risks they are exposed to when they provide their personal information. NAFCU believes this problem can be alleviated by simply requiring merchants to post their data security policies at the point of sale if they take sensitive financial data. Such a disclosure requirement would come at little or no cost to the merchant but would provide an important benefit to the public at large.

• Notification of the Account Servicer: The account servicer or owner is in the unique position of being able to monitor for suspicious activity and prevent fraudulent transactions before they occur. NAFCU believes that it would make sense to include entities such as financial institutions on the list of those to be informed of any compromised personally identifiable information when associated accounts are involved.

• Disclosure of Breached Entity: NAFCU believes that consumers should have the right to know which business entities have been breached. We urge Congress to mandate the disclosure of identities of companies and merchants whose data systems have been violated so consumers are aware of the ones that place their personal information at risk.

• Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the violation of existing agreements and law by merchants and retailers who retain payment card information electronically when they are not supposed to. Many entities do not respect this prohibition and store sensitive personal data in their systems (i.e. how are you able to now return items without a receipt?), which can be breached easily in many cases.

• Burden of Proof in Data Breach Cases: In line with the responsibility for making consumers whole after they are harmed by a data breach, NAFCU believes that the evidentiary burden of proving a lack of fault should rest with the party who incurred the breach. These parties should have the duty to demonstrate that they took all necessary precautions to guard consumers' personal information but sustained a violation nonetheless. The law is currently vague on this issue, and NAFCU asks that this burden of proof be clarified in statute.

For the sake of America's economy and consumers, we must take steps to make sure consumer financial information is safe from cybercriminals. We urge Congress to hold retailers to the same strict standards of data security and breach notification that financial institutions must adhere to.