Congress struggled last week to cobble together legislation to deal with online security as the latest credit card breach continued to spread throughout the country.
Most of the largest U.S. banks, including Citibank, JP Morgan Chase, Wachovia, Bank of America, Wells Fargo, Washington Mutual, PNC and National City Bank, joined dozens of credit unions, including giants The Golden 1 CU, State Employees CU of North Carolina, Digital Employees FCU, Bethpage FCU, and dozens of smaller institutions in shutting down credit/debit card accounts and reissuing cards as they were notified that thousands of accounts had been breached. Experts were estimating more than one million cards were being replaced in what is being recognized as the largest cards breach ever.
Meantime, U.S. and international law enforcement and financial authorities were working to locate the source of the latest security breach. Even though Visa had flagged transactions at office supplier OfficeMax, transactions at several other retailers were also being flagged last week, leading experts to conclude the breach was at a third-party processor that had performed processing for several companies. But that's where the trail ended, even while tens of thousands of dollars were being drained from U.S. cardholders' accounts in fraudulent transactions originating in foreign locales like Russia, Pakistan, England, Spain and South Africa.
"It definitely wasn't a retailer," said Avivah Litan, a cards expert with Gartner Group. "It's someone driving terminals or processing out transactions. That's where the encryption key is assigned. The question is: were they (the card numbers and PINs) stored or read in transit? My guess is they (the crooks) got it in transit."
In this atmosphere the House Financial Services Committee approved a data security bill that will require entities responsible for such breaches-retailers, processors or financial institutions-to notify consumers when their account information has been penetrated and puts consumers' financial accounts at risk.
But the bill, one of a handful being considered by Congress to deal with the expanding problem, falls far short of one preferred by credit unions.
Among the provisions sought unsuccessfully by credit unions was a measure that would enact as law voluntary guidelines required by Visa and MasterCard for retailers and processors to destroy all personal transaction information after use. That's where the problem lies, said Larry Blanchard, chief lobbyist for CUNA Mutual Group, which has seen card losses for credit unions triple over the past three years to $100 million last year, half of which was paid by the credit union insurer.
Blanchard referred to a survey released last week that indicated only 17% of retailers and other users of personal card information complied with the Visa and MasterCard standards. "We need a national standard on this," said Blanchard.
Jim Blaine, president of State Employees CU in North Carolina, which has been forced to replace more than 100,000 cards in the past year, agreed. He said retailers and others who hold on to confidential consumer data should be held liable for costs incurred by credit unions, banks and others because of a data breach. "We need to take a hard look at the issue of liability," said Blaine. "Uniform laws are needed, not just voluntary standards."
CUNA and NAFCU were also lobbying committee members prior to last week's vote on a provision that would require any entity responsible for a data breach to pay costs incurred by credit unions, banks and others to block and reissue cards and other related expenses.
CUNA also proposed that consumers be allowed to request within 90-days after notification of a data breach to have the responsible party pay for credit reporting service for up to six months.
NCUA did succeed in getting a provision into last week's bill that will allow the credit union regulator to write its own rules for adapting any new requirements. "We think it's important that NCUA write the rules for credit unions because we know credit unions best," said John McKechnie, chief congressional liaison for the agency.
But last week's bill will not be the final congressional action on the issue as other committees in both the House (Commerce and Judiciary) and the Senate (Banking and Judiciary) are also debating bills on data security.
Among the other issues being debated are:
* a proposal to allow consumers to put a "credit freeze" on their accounts when they believe an unauthorized third-party has accessed their information. Credit unions and banks oppose this proposal, saying it could cause confusion and wreak havoc on financial accounts;
* a proposal to phase-out the use of Social Security numbers as a unique personal identifier for people;
* who should be responsible for investigating and reporting data security breaches.
The variety of bills and jurisdictions over this issue ensures that any legislation passed by Congress this year will look far different that the bill passed by the Financial Services Committee last week.
