WASHINGTON, DC (March 8, 2017) — Chevron Federal Credit Union President and CEO Jim Mooney will testify today on behalf of the association before the House Small Business Committee on the impacts on credit unions and consumers of retailer and merchant data breaches and the need for a national data security standard.
Today, Mooney’s testimony will cover credit union efforts to maintain a successful track record of protecting their members’ information; NAFCU’s work on the cyber and data security front; the impacts of three recent retailer and merchant data breaches on credit unions and consumers, including the financial burdens they have faced; and NAFCU’s principles for data security reform and potential legislative next steps to address consumer data threats in the 21st century cyber environment.
Mooney, whose credit union is headquartered in Oakland, Calif., is testifying before the committee in today’s hearing, “Small Business Cybersecurity: Federal Resources and Coordination,” which begins at 11 a.m. Eastern. Mooney is also chair of the NAFCU Cybersecurity and Payments Committee.
Mooney will discuss how the lack of a national data security standard for merchants has impacted his credit union. “During the four-year period of 2013-2016 – during which we implemented EMV – our card-related fraud losses tripled, with 2016 losses approaching three-quarters of a million dollars,” he says. He will detail the costs credit unions incur when a merchant data breach happens, including the costs of reissuing cards, monitoring accounts and fraud investigation and related losses.
In his testimony, Mooney discusses the need for a national data and cybersecurity standard and how the Gramm-Leach-Bliley Act (GLBA) has helped limit data breaches among credit unions. “GLBA and its implementing regulations have successfully limited data breaches among credit unions,” Mooney says in today’s prepared testimony. “The best way to move forward and address data breaches is to create a comprehensive regulatory strategy for industries that are not already subject to oversight with the responsibility of protecting consumer data.”
During his testimony, Mooney will also update the panel on the efforts credit union regulators have undertaken to find solutions to reduce data and cybersecurity risk. “NCUA has made cybersecurity a supervisory priority since 2013, and the agency reminded credit unions in 2016 that ‘technological innovation, the expansion of social networking and growing interconnectivity are fueling fundamental change in cybersecurity procedures and processes.’ NCUA forecasts that elevated risk levels may lead to ‘higher mitigation costs and lower consumer confidence, as well as greater financial and legal risks.'”
He describes cybersecurity and data security as being “inextricably linked.” He adds, “Securing consumers’ personal information and financial accounts will require the entire payments ecosystem to take an active role in addressing emerging threats, and in turn require all industries to be proactive in protecting consumers’ personally identifiable and financial information from the onset.”
Mooney also talks about NAFCU’s efforts within the fight for more data and cybersecurity standards. “NAFCU has also aided industry efforts to make data security effective not just for institutions but also for consumers. In November of 2016, FS-ISAC released its ‘Sheltered Harbor’ initiative to improve cybersecurity defense measures for financial institutions,” he says.
He adds, “NAFCU’s efforts to gauge credit union cybersecurity readiness indicate that the vast majority of members have taken a proactive approach to managing data security risks and improving operational resilience.”
Mooney will also discuss how credit unions have established internal protections to combat cyberattacks and the steps that are necessary in order to create a national data security standard, “Retailers and credit unions are both targets of cyberattacks. The difference, however, is that credit unions have developed and maintained robust internal protections to combat these attacks and are required by federal law and regulation to protect this information as well as notify their members when a breach occurs, putting them at risk. Every credit union must comply with significant data security regulations, and undergo regular examinations to ensure that these rules are followed.”
In regards to legislative solutions, “NAFCU believes that the best legislative solution on the issue of data security is the bipartisan legislation that was introduced in the 114th Congress by Senators Roy Blunt and Tom Carper and Congressman Randy Neugebauer,” he says. “The legislation, S. 961/H.R. 2205, the Data Security Act of 2015, would have set a national data security standard that recognized those who already have one under the GLBA. We supported these bills and would urge for reintroduction in both the Senate and the House.”
He adds, “NAFCU would like to encourage congressional leadership to create a bipartisan and bicameral working group to find a legislative path forward to help better protect consumers from ongoing data breaches.”
In closing, Mooney says, “Consumers will only be protected when every sector of industry is subject to robust federal data safekeeping standards that are enforced by corresponding regulatory agencies. It is with this in mind that NAFCU urges Congress to modernize data security laws to reflect the complexity of the current environment and insist that retailers and merchants adhere to a strong federal standard in this regard.”
The National Association of Federally-Insured Credit Unions is the only national trade association focusing exclusively on federal issues affecting the nation’s federally-insured credit unions. NAFCU membership is direct and provides credit unions with the best in federal advocacy, education and compliance assistance. For more information on NAFCU, go to www.nafcu.org or @NAFCU on Twitter.
