Strict Liability Urged In DataBreaches

WASHINGTON - (03/14/06) -- The credit union lobby is hopingthat Congress will expand proposed legislation on data security tocodify voluntary guidelines currently in force at Visa andMasterCard. CUNA Mutual Group, which insures more than 90% of allcredit union card programs, wants to see legislation that wouldrequire retailers and other users of credit and debit cards todestroy all magnetic stripe and PIN information immediatelyfollowing transactions, just as the card companies now require, orelse face legal penalties. A survey released last week shows thatonly 17% of retailers comply with the card company rule. "That'swhere the problem lies," CUNA Mutual lobbyist Larry Blanchard toldThe Credit Union Journal. "We need a national standard on this."Jim Blaine, president of State Employees CU in North Carolina,which has been forced to replace more than 100,000 cards in thepast year, agreed. He said retailers and others who hold on toconfidential consumer data should be held liable for costs incurredby credit unions, banks and others because of a data breach. "Weneed to take a hard look at the issue of liability," said Blaine."Uniform laws are needed, not just voluntary standards." AvivahLitan, cards consultant with the Gartner Group, said there is noreason for retailers to hold cards data. "No business needs tostore magnetic stripe or PINs," said Litan. The House FinancialServices Committee is scheduled to vote a data security billWednesday that does not address the issue of liability. The mainfocus of the House bill is consumer notification of a breach,according to a draft of the bill obtained by The Credit UnionJournal. The bill would require retailers, third-party processorsand financial institutions to notify their customers of a breach ifthe breach would cause 'substantial harm orinconvenience.'