Congress is failing consumers

At the end of February, three hearings were held in Congress regarding privacy and consumer data. Issues such as how to protect it, how to use it, and how to empower consumers to understand what’s going with it were examined in great detail by experts from the worlds of business, academia and tech.

These are important discussions. Yet, the subject of merchant responsibility to do more to help wasn’t raised once.

Even at the House Financial Services Committee session featuring the transgressions of the three major credit bureaus, any mention of the retailer role in protecting data was conspicuously absent.

Why has Congress, after five years of inaction on data security, decided to move on and treat the issue as if nothing can be done to bring merchants to the table and do its part to help protect consumers when it comes to cybercrimes?

If the early days of the 116^th Congress are any indication, there is a real danger that the issue of merchant responsibility will be put on the back burner and it will stay there unless credit unions and our allies do something and soon.

As president of the Defense Credit Union Council, an organization of 181 credit unions focused on the military community encompassing over 23 million consumers, protecting individual data is an everyday responsibility, and one that we value. Credit unions are legally obligated to adhere to high standards. Instead of looking at this as a burden, credit unions see it as part of our obligation to our members, one rooted in trust and security.

In that context, it’s hard to understand why the merchant lobby in Washington seems so intent on avoiding any and all calls to do more for the customers they serve.

Since the infamous 2013 Target breach, Congress has tried and failed to fashion changes to the law that would help the situation. Every attempt at reform, no matter how modest, has been met with a resounding no by the retailer community. Even though a 2018 study shows only about 8 percent of breaches occur at financial service providers, the retail industry seems intent on ensuring that we bear 100 percent of the responsibility when it comes to telling consumers about the breach, reissuing credit and debit cards and paying the freight for the fraud losses.

In short, the merchants have told Congress, “You don’t want to pick sides between retailers and financial institutions, so better to keep the status quo.” Unfortunately, keeping the status quo is picking sides, and it’s patently unfair to credit unions and our members. We need help from Congress.

What to do? I suggest three modest steps for the credit union community that may help.

First, embrace the new focus on privacy and strong consumer protections on data and engage in that debate. We are member-focused institutions, and as such we can help Congress come up with sensible and balanced laws by translating consumer needs into real protections. When it comes to credit unions, everything starts with the member.

Second, regarding those members, make sure they become aware, and stay aware, of the need for better data safeguards. That may start with their credit union, but it can’t end there. Consumers should expect every business to do a better job. Tell retailers to step up their game, in person, in the media and in the halls of Congress.

And most importantly, tell lawmakers not to forget about retailer responsibility. If the merchant community thinks they can get away with doing nothing, they will.

Consumer protection is everybody’s job. Let’s ask Congress to start making sure that everybody understands that “everybody” also means the retail industry.