NAFCU email to Congress in response to misinformation sent to the Hill via the retail community

WASHINGTON, DC (March 7, 2014) — 

Good afternoon,

Data breaches at the hands of retailers are happening all the time, yet there is no federal standard for merchants regarding the safekeeping of financial information or data breach notification efforts. The recent Target breach grabbed headlines given the number of consumers it impacted at the height of holiday shopping season. But the breaches have continued with recent ones coming to light at Neiman Marcus, Michaels and White Lodging. Just this week there have been reports of national breaches at both Smucker’s and Sally Beauty. In addition many smaller breaches happen all too often on the local level, whether at your neighborhood grocer or convenience store. All told, according to the Privacy Rights Clearinghouse, there have been over 450 retailer breaches since 2007 resulting in the exposure of nearly 200 million consumer financial and personally identifiable records.

Sadly, with consumer data breaches happening with increasing frequency, some in the merchant community want to spend their time attacking the same credit unions that have been on the front lines in cleaning up their mess for the 97 million Americans who are credit union members.

The estimated costs of the Target breach alone on credit unions is close to $30 million dollars. Most credit unions have yet to see a dime back from the retailers to cover these costs. Unfortunately, the cost of these breaches takes money away from credit unions that they would return to their members in the form of lower rates, rebates and higher interest for checking and savings accounts.

Credit unions know and understand that preventing data breaches will be a group effort involving all points of the electronic payments system, and will continue to comply with the data security standards already outlined for financial institutions in federal statute.  But more must be done to hold merchants accountable.

Below are three simple suggestions that we feel could go a long way towards easing the burden of data breaches on the American consumer.

  • National standards for safekeeping information– It is critical that a consumer’s sensitive personal information be safeguarded at all stages of transmission. There should be a federal standard that personal information, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers are all secure. Consumers should be able to trust that entities collecting this type of information will, at the very least, make a minimal effort to protect them from such risks.  Credit unions and other financial institutions already have this requirement under federal law.  We hope that the groups representing merchants will support such a law for their members.
  • Set notification and disclosure standards- Guarantee that all necessary parties are informed in a timely manner when and where a data breach has occurred. Establish standards for identifying potential identity theft threats and require standards for information sharing so when red flags come up we are able to act early and act fast to protect consumer’s financial well-being. Credit unions and other financial institutions already have this requirement under federal law.  We hope that the groups representing merchants will support such a law for their members.
  • Limit a consumer’s liability– If a data breach occurs it is our job to provide affected consumers with necessary resolution tools such as remuneration; monitoring accounts for fraud; reissuing cards and other tools necessary to help them recover from financial burden.  Credit unions are already doing this, often on their own dime. What those representing merchants often forge to tell you is that their associations are fighting tooth and nail not to do this by opposing a legal settlement on the credit interchange issue that is supported by hundreds of other merchants and even challenging in court the fraud costs their members are being asked to pay under the Federal Reserve’s Debit Interchange Rule.

According to the Verizon 2013 Data Breach Investigation Report, a breakdown of incidents across various industries actually resulting from network intrusions, the retail industry was far and away the number one target, with nearly 22 percent of network intrusions occurring at retailers. Clearly, something needs to be done.

Finally, while some argue for financial institutions to expedite a switch to a “chip and pin” card, the reality is that it is no panacea for data security and preventing merchant data breaches. Many financial institutions that issue “chip and pin” cards had those cards stolen in the Target data breach as the retailer only accepted magnetic stripe technology at the point of sale where the breach occurred. Furthermore, “chip and pin” cards can be compromised and used in online purchase fraud, as the technology is designed to hinder card duplication and card information can still be compromised. This fact highlights the need for greater national data security standards as the way to truly help protect consumer financial information.

NAFCU looks forward to working with Congress and others in the payment system to come up with these greater national standards in order to help the American consumer.


Carrie Hunt
SVP of Government Affairs and General Counsel
National Association of Federal Credit Unions

More News