WASHINGTON – Lawmakers are calling for immediate action to pass long-stalled data-security legislation in the face of last week’s news of a massive data breach at cards processor Global Payments Inc. (
Rep. Mary Bono Mack called on her House colleagues to pass her data-protection bill, the Secure and Fortify Electronic (SAFE) Data Act, which would require security policies and procedures to protect data containing personal information, and provides for nationwide notice in the event of a security breach.
“Consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them,” said the California Republican.
The latest cards breach, which may have exposed millions of Visa, MasterCard and Discover cards to hackers, has reignited hope among credit unions that their long fight for data security legislature could come to fruition.
Though legislative proposals that would have required immediate public notification and reimbursement by the breached parties has been dismissed in past Congresses, the hope is that pending cyber security bills aimed at protecting government and other important institutions from hackers will serve as a vehicle for the cards bills.
“There’ll be tons of amendments,” Larry Blanchard, a CUNA Mutual Group lobbyist who has been working on the issue for a decade, told Credit Union Journal this weekend. “We expect there will be a lot of amendments to the bills having to do with cyber security and data breaches.”
Movement on the data security issue, interest in which ebbs and flows with the discovery of large scale cards breaches, has been plagued by the interests of two powerful Washington lobbies on opposite sides of some of the issues – the credit union and banks who issue cards and must plug the breaches, and the merchants who often are the victims of hackers.
The card issuers have fought for years for bills that would require the victims of hacking to immediately notify the affected parties – cardholders in most cases – and to pay the costs to resolve the hacking, such as card replacements and fraud restitution. But the merchants, who would be liable for the reimbursement costs and for the harm public notification would do their reputation, have opposed such measures.
CUNA Mutual Group, which insures thousands of credit unions in such instances, has been lobbying on a dual track, with a focus on a national effort in Congress, and separately in the states – where the credit union insurer has been successful in getting legislation passed in several states requiring notification of data breaches.
But the issue of reimbursement of costs, which has amounted to millions of dollars for credit unions over the past decade, has been elusive so far.
CUNA Mutual’s Blanchard and other credit union lobbyists are doubtful any cyber security bill, with or without the credit union-favored provisions, will be passed this year, but see the ongoing congressional debate as setting a mark for the next Congress.
“Honestly, I don’t know whether Congress will be able to enact something on cyber security this year, but if they proceed on this issue, it may open the door to consider the liability issues associated with merchant level data breaches to ensure that credit unions are reimbursed for the costs they bear as a result of breaches occurring elsewhere,” said Ryan Donovan, chief lobbyist for CUNA. “And, if breaches like this continue, I think there will be more pressure on Congress to act on the broader issue sooner rather than later.”
