It's time for Congressional action on data security.
According to Open Security Foundation, 2013 set a 10-year high for the number of data breaches. The Identity Theft Resource Center documented more than 600 breaches in 2013. PC World dubbed 2013 the year of the personal data breach.
The Target data breach has become a "never-ending story" and the recent revelation of the data breach at Neiman Marcus is likely to reinforce consumers' growing alarm at their vulnerability.
Beyond the national data breaches, IRTC confirmed that many others happened at a more local level. While the causes of these data breaches may have been varied, what they all have in common is that consumers' personal data, and in many instances, their financial account information, were ultimately put at risk.
Many Americans may not realize that data breaches can happen at any retailer, large or small. They also may not be aware of the risks associated with each transaction. In a data breach, the consumer is exposed to potential identity theft, fraudulent charges and damage to their credit scores and reputations.
While we are heartened by recent efforts in Congress to address these breaches, more needs to be done to make sure retailers and other entities safeguard consumers' sensitive information.
Financial institutions, including credit unions, have had certain standards of data protection in place since the 1999 enactment of the Gramm-Leach-Bliley Act. However, retailers and other entities are not subject to these same requirements.
Financial institutions also bear a substantial burden as the issuers of payment cards. In the event of a merchant data breach, for example, credit unions must notify accountholders, issue new cards, replenish stolen funds, change account numbers and accommodate the increased customer service demands that follow. They do this to protect their members, often at great expense, without help or compensation from the breached entity. They are often forced to charge off fraud-related losses, many of which arise from a negligent entity's failure to protect sensitive financial information or from its illegal maintenance of data.
The recent Target data breach confirms that cybercriminals are successfully capturing vital consumer data, and are often unchecked in their criminal efforts. The failure to strengthen the protection of this consumer data undermines still-fragile consumer confidence and potentially puts our whole economy at risk.
Unfortunately, the retailers continue to balk at the notion of being held responsible for their part in safeguarding consumers' sensitive data. The National Association of Federal Credit Unions believes if retailers want to reap the rewards of consumer sales, they should also take an active role in protecting their data.
It is with this in mind that NAFCU is calling on Congress to make comprehensive data security legislation a priority in 2014. We urge Congress to address the following issues related to data security:
- Require merchants to pay for the costs of breaches on their end, particularly when negligence is in play.
- Require any business entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.
- Require merchants post their data security policies at the point of sale if they take sensitive financial data.
- Require the timely disclosure of the identities of breached companies and merchants.
- Enforce data retention prohibitions in existing agreements and establish statutory standards prohibiting the retention of payment card information by retailers.
- Require merchants to notify the account servicer or owner, including a financial institution, of any compromised personally identifiable information associated with the account.
- Require any breached merchant or retailer to demonstrate all necessary precautions have been taken to guard data.
Simply put, Congress needs to protect Americans against the data thieves that can be lurking at every transaction, online and in stores. NAFCU urges lawmakers to make 2014 the year of data security by implementing stricter standards on the under-regulated entities that hold personal data. Without this fix, it is just a matter of time until consumers are once again harmed in the next data breach.
B. Dan Berger is president and CEO of the National Association of Federal Credit Unions.