New Impetus For Data Theft Bill

Register now

Last week's revelation of a massive data breach at the Veterans Administration gave rising impetus to legislation that would impose new penalties for poor data security and allow consumers to "freeze" their credit after their personal information has been stolen.

Several lawmakers cited last week's VA incident, in which names and personal information for as many as 26.1-million veterans were stolen on a computer disc, as the latest in a growing number of reasons why Congress needs to enact new laws to stem the breaches. "This breach is just the latest in a number of enormous breaches that highlight the need for a national (security) standard," said Rep. Darlene Hooley (D-OR) during a debate last week in the House Financial Services Committee.

Hooley, also a member of the House Committee on Veterans Affairs, vowed to see that new funding was available for the VA to notify all affected veterans that their personal information is at risk and for credit monitoring of those veterans for six months-an expense that could run into the tens of millions of dollars.

Credit union lobbyists agreed the VA case will give new momentum to their efforts to enact provisions requiring any entity responsible for a data breach, such as a third-party cards processor, retailer or financial institution, to pay any costs associated with the remedies. That would include the costs to notify customers, replace cards, and resolve incidents of fraud. Dan Berger, chief lobbyist for NAFCU, said such a requirement is not currently in any of the data security bills but they are working with lawmakers in the wake of the VA case to ensure that dozens of defense credit unions and others are not stuck holding the bill for any related costs.

This issue has become the top priority for credit unions, which have spent millions of dollars over the past two years to recall, then reissue, more than a million credit and debit cards at risk for fraud because of stolen data.

Rep. Deborah Pryce (R-OH), another member of the Financial Services Committee, insisted that any bill passed by the House should make government agencies like the VA responsible for notifying customers of a data breach, as well as private sector entities, like processors, retailers and financial institutions.

Another major issue debated last week was a provision that would allow consumers to enact a "credit freeze" after they have discovered incidents of fraud on their accounts. Some lawmakers said this would cause havoc by allowing individual consumers to freeze their credit every time they feel threatened.

The credit union lobby was also working last week to see that a provision is included in data security legislation that would enact as law Visa USA's and MasterCard International's administrative guidelines that require all retailers to destroy credit card information within three days after use, which has been identified as one of the main sources of identity fraud. Katie Herberger, a congressional lobbyist for CUNA, said they are working with lawmakers to get the provision added to a final bill.

After reviewing a bill passed by the House Energy and Commerce Committee, the Financial Services Committee last week voted a data security bill very similar to one the panel passed six weeks before. The Financial Services Committee rejected a measure that would set up the Federal Trade Commission as the final arbiter of rules and penalties on data security, and included a measure in its bill that would have each entity's regulator-NCUA for credit unions-develop their own rules.

The main function of the bill is to require that any entity notify its customers when a significant data breach has occurred.

However, the data security bill has a long way to go because there are still at least three different version of a data bill working their way through the House, another one in the Senate, and still another expected to be introduced in the Senate Banking Committee any day.

SECURITY MEASURES IN PLACE AT CUs

Layered Security 50%

Shared Secrets 31%

Tokens (Certificates) 14%

One-Time Passwords 8%

Biometrics 6%

SOURCE: NAFCU

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER