NAFCU letter to Chairman McCaul urging Congressional action on cybersecurity and data security
Re: Congress Must Address both Cybersecurity and Data Security
Dear Chairman McCaul:
On behalf of the National Association of Federal Credit Unions (NAFCU), the only trade association exclusively representing our nation’s federally chartered credit unions, I write today with respect to your work on cybersecurity and the National Cybersecurity and Critical Infrastructure Protection Act (H.R. 3696) voted out of the Homeland Security Committee and passed the House earlier this Congress. Credit unions serve over 98 million members across the country and we appreciate your leadership in fighting against cyber threats in the financial services sector.
NAFCU supports this bipartisan legislation strengthening existing mechanisms in place to address cybersecurity issues such as the Financial Services Sector Coordinating Council (FSSCC) and the Financial Services Information Sharing and Analysis Center (FS-ISAC). These organizations work closely with partners throughout the government creating unique information sharing relationships that allow threat information to be distributed in a timely manner. NAFCU also worked with the National Institute of Standards and Technology (NIST) on the voluntary cybersecurity framework released earlier this year designed to help guide financial institutions of varying size and complexity relative to reducing cyber risks to critical infrastructure.
In addition to addressing the cybersecurity needs outlined in your legislation, NAFCU is hopeful that Congress will also take legislative action to address ongoing data security breaches at our nation’s retailers. Data security is an important part of the cybersecurity discussion and every time a consumer uses a plastic card for payment at a register or makes online payments from their accounts, they unwittingly put themselves at risk. Traditionally consumers have trusted that entities collecting this type of information will, at the very least, make a minimal effort to protect them from such risks. Unfortunately, in the wake of several headline grabbing retailer breaches in recent months, this does not seem to be the case today.
With the increase of massive data security breaches at retailers from the Target breach at the height of holiday shopping last year impacting over 110 million consumer records to the recent Home Depot breach impacting 56 million payment cards, Americans are becoming more aware and more concerned about data security and its impact. A Gallup poll from October 12-October 15, 2014, found that 69 percent of U.S. adults said they frequently or occasionally are concerned about having their credit card information stolen by hackers, while 27 percent of Americans say they or another household member had information from a credit card used at a store stolen in the last year. These staggering survey results speak for themselves and should cause serious pause among lawmakers on Capitol Hill.
Financial institutions, including credit unions, have been subject to standards on data security since the passage of the Gramm-Leach-Bliley Act and it is critical that any data security legislation include language to ensure they are not subject to any new onerous or duplicative regulations. However, retailers and many other entities that handle sensitive personal financial data are not subject to these same standards, and they become victims of data breaches and data theft all too often. While these entities still get paid, financial institutions bear a significant burden as the issuers of payment cards used by millions of consumers. Credit unions suffer steep losses in re-establishing member safety after a data breach occurs. They are often forced to charge off fraud-related losses, many of which stem from a negligent entity’s failure to protect sensitive financial and personal information or the illegal maintenance of such information in their systems. Moreover, as many cases of identity theft have been attributed to data breaches, and as identity theft continues to rise, any entity that stores financial or personally identifiable information should be held to minimum federal standards for protecting such data.
Again, thank you for your important work on cybersecurity and the National Cybersecurity and Critical Infrastructure Protection Act (H.R. 3696). NAFCU supports this legislation and believes data security is an important part of the cybersecurity debate. Accordingly, we urge Congress to come together in a bipartisan way and put forward legislative recommendations to hold retailers to the same strict standards of data security and breach notification that financial institutions must already adhere to.
On behalf of our nation’s credit unions and their 98 million members we thank you for your attention to this important matter. If my staff or I can be of assistance to you, or if you have any questions regarding this issue, please feel free to contact myself, or NAFCU’s Vice President of Legislative Affairs, Brad Thaler, at (703) 842-2204.
Senior Vice President of Government Affairs & General Counsel