Press

CUNA urges President Obama to form Cybersecurity Council, take action on data breaches

(September 30, 2014) — The Credit Union National Association’s (CUNA) president and CEO Jim Nussle sent a letter to President Barack Obama urging the president to establish a Cybersecurity Council that would report to the president and would be charged with developing a comprehensive and timely approach to the range of issues associated with cybersecurity attacks on businesses and consumers in this country. CUNA notes that many of the most recent massive data breaches have taken place in systems operated by merchants, not financial institutions, and one important problem with current law is that, even when fault in a data breach lies with a merchant, credit unions and financial institutions are assigned many of the financial costs.  One job of the Cybersecurity Council should be to help align liability with responsibility for these breaches.

Additionally, CUNA urges the Administration to support data security legislation with three principles:

  • All participants in the payments system should be responsible and be held to comparable levels of federal data security requirements;
  • Those responsible for the data breach should be responsible for the costs of helping consumers;
  • Consumers should know where their information was breached.

See the full letter below:

September ­­30, 2014

President Barack Obama
1600 Pennsylvania Avenue, NW
Washington, DC 20500

Re:         Cybersecurity

Dear Mr. President:

On behalf of the Credit Union National Association (CUNA), I am writing to urge you to establish a Cybersecurity Council that would report to you and would be charged with developing a comprehensive and timely approach to the range of issues associated with cybersecurity attacks on businesses and consumers in this country. CUNA is the largest credit union advocacy organization in the United States, representing state and federal credit unions that serve over 100 million small business and consumer members.

Former Congressman Lee Hamilton, Vice-Chairman of the 9-11 Commission, is one of the proponents of such a council.  We urge the Administration to give this idea full consideration, coordinating with Congress, agencies that are already addressing aspects of cybersecurity including prudential financial regulators, and the private sector to establish it.

Your Administration has taken a number of important steps to address cyberterrorism and data security breaches, including the issuance of your Executive Order on “Improving Critical Infrastructure Cybersecurity” and the National Institute of Standards and Technology’s new framework, which we have promoted to our members. Among other things, you have also established within the U.S. Department of the Treasury the Financial Sector Cyber Intelligence Group, which coordinates with the Financial Sector Information Sharing and Analysis Center (FS-ISAC).

CUNA participates with FS-ISAC and the Financial Services Sector Coordinating Council. We also work with key industry workgroups to promote better data security for merchants and to represent credit union interests; these include the Visa MasterCard Payments Security Task Force; payments workgroups with the major financial services trade associations; and BITS with the largest financial institutions.

As you know, many of the most recent massive data breaches have taken place in systems operated by merchants, not financial institutions.  One important problem with current law is that, even when fault in a data breach lies with a merchant, credit unions and financial institutions are assigned many of the financial costs.  One job of the Cybersecurity Council should be to help align liability with responsibility for these breaches.  Such a system would give more incentives to all parties to take cybersecurity seriously.  In addition, when credit unions reissue compromised cards, under current rules they are not permitted to reveal the reason for the reissuance, leaving the impression among many credit union members that it was the credit union that allowed the data to be compromised.

Thus, in addition to establishing a Cybersecurity Council, we urge your Administration to support data security legislation with these three principles: 1) All participants in the payments system should be responsible and be held to comparable levels of federal data security requirements; 2) Those responsible for the data breach should be responsible for the costs of helping consumers; and 3) Consumers should know where their information was breached.

We will continue our range of activities in this area, stressing that cybersecurity and data security solutions should not necessitate new rules for credit unions and other financial institutions as they are already subject to robust requirements and standards in this area.

Yet we feel there is much more that must be done to address cybersecurity issues, such as the formation of a new council. There are many issues confronting our nation but cybersecurity is certainly one of the most critical. We urge you to appoint the council as soon as possible drawing from the very best qualified individuals available.

Sincerely,

Jim Nussle
CUNA President and CEO

More News