CUNA tells Congress merchants should be held accountable for data breaches
(September 9, 2014) — The Credit Union National Association (CUNA) sent a letter to members of Congress following the recently confirmed data breach at Home Depot. CUNA states that Congress must protect consumers by taking steps to enhance data security standards for merchants. All participants in the payment process have a shared responsibility to protect consumer data, but the law and the incentive structure today allows merchants to abdicate their responsibility to others. Breaches can be prevented if Congress would subject merchants to the same federal data protection standards to which credit unions and other financial institutions are already subject.
Read the full letter below:
September 9, 2014
On behalf of the Credit Union National Association (CUNA) and America’s 100 million credit union members, I am writing regarding the recently confirmed data breach at Home Depot. CUNA is the largest credit union advocacy organization in the United States representing America’s 6,600 credit unions and their 100 million members.
Yesterday, Home Depot confirmed that it had suffered a data breach, the size of which may be larger in scope than the Target data breach that occurred late last year. Consumer data is in the hands of criminals; victims are being made aware of their vulnerability by their card issuers – banks and credit unions that will ultimately bear the financial brunt of the breach.
When a data breach like this one occurs, credit unions immediately take steps to protect their members. They know what to do because they have had to do it all too often: they notify their members, make a determination of whether to reissue debit and credit cards, increase call center staff, set up account monitoring, and other activity. These steps are not without cost, much of which is not reimbursed. The impact of merchant data breach related costs is far reaching. For the not-for-profit credit unions operating on already thin margins, these costs make a significant difference in their bottom line and therefore in their ability to offer services to their members.
Merchant data breach is a chronic, but preventable, issue. Breaches occur over and over again because data security standards are inconsistent across the board. Breaches can be prevented if Congress would subject merchants to the same federal data protection standards to which credit unions and other financial institutions are already subject.
Under today’s federal law, merchants are not held accountable for the costs their breaches impose on others. Until and unless merchants are held accountable for the damages that breaches to their systems cause financial institutions and consumers, we have little confidence that they will be incentivized to properly secure their systems. EMV, tokenization and other technologies are critical to the innovation of the payments system; however, the key role for Congress to play in addressing the issue of merchant data breaches is to make sure all of the participants are playing by the same set of data security rules, and that merchants who hold consumer data and allow that data to be breached, are responsible for the costs incurred by others.
All participants in the payment process have a shared responsibility to protect consumer data, but the law and the incentive structure today allows merchants to abdicate that responsibility, making consumers vulnerable.
As Congress considers legislative remedies, credit unions support three basic principles:
- All participants in the payments system should be responsible and be held to comparable levels of federal data security requirements.
- Those responsible for the data breach should be responsible for the costs of helping consumers.
- Consumers should know where their information was breached.
Unfortunately, the Home Depot breach will not be the last merchant data breach. Congress must protect consumers by taking steps to enhance data security standards for merchants.
On behalf of America’s credit unions and their 100 million members, thank you for your attention to this very critical matter and your consideration of our views.
President & CEO