NAFCU to House Small Business: cyber and data security is a top challenge facing credit union industry

WASHINGTON, DC (April 22, 2015) – National Association of Federal Credit Unions (NAFCU) President and CEO Dan Berger will testify today on behalf of the association before the House Small Business Committee on cyber and data security. Berger will tell lawmakers that “cyber and data security, ensuring member safety, and how to incentivize and emphasize data safekeeping in every link of the payments chain is a top challenge facing the credit union industry.” Berger is seeking action from Congress to enact comprehensive cyber and data security measures to protect consumers’ data.

Berger is testifying before the committee in today’s hearing, “Small Business, Big Threat: Protecting Small Businesses from Cyber Attacks,” which will begin at 11 a.m. Eastern.

Credit Unions and the Gramm-Leach-Bliley Act

Berger, in his written testimony, highlights the wide-spread impact of recent cyberattacks and data security breaches. “Cyber and data crime has reached epic proportions in nearly all sectors of the economy,” Berger says. Symantec’s 2015 Internet Security Threat Report shows more than 317 million new pieces of malware were created in 2014 and that breaches were up 23 percent from 2013.

Berger stresses that credit unions and other financial institutions already protect consumers’ personal data under the provisions of the 1999 Gramm-Leach-Bliley Act (GLBA). Unfortunately, there is no comprehensive regulatory structure similar to GLBA for other entities, such as retailers, that handle sensitive personal and financial data. Berger says, “GLBA and its implementing regulations have successfully limited data breaches among credit unions. The best way to move forward and address data breaches is to create a comprehensive regulatory scheme for those industries that are not already subject to oversight.”

NAFCU’s Cyber and Data Security Initiatives

NAFCU was the first financial trade organization to call for national data security standards for retailers in the wake of the 2013 Target data breach, and it continues to push for legislative action on Capitol Hill. NAFCU is a member of the Payments Security Task Force, a diverse group of participants in the payments industry that is driving a discussion on payments system security. NAFCU is also a member of the Financial Services Sector Coordinating Council and the Financial Services Information Sharing and Analysis Center, which work on infrastructure cybersecurity.

Credit Unions and Consumers Continue to Suffer in Wake of Data Security Breaches

There has been an increase of massive data security breaches at retailers, from the Target breach in 2013 impacting over 110 million consumer records to the recent Home Depot breach affecting 56 million payment cards. “Data security breaches are more than just an inconvenience to consumers as they wait for their plastic cards to be reissued,” Berger says. “Breaches often result in compromised card information leading to fraud losses, unnecessarily damaged credit ratings, and even identity theft.”

Credit unions have developed and maintain robust internal protections to combat cyberattacks and are required by federal law and regulation to safeguard this information and notify consumers if a breach occurs that will put them at risk. These fraud protection systems bring significant costs. According to a February 2015 survey of NAFCU member credit unions, the average respondent spent $136,000 on data security measures in 2014, and that doesn’t even factor in the additional costs that the credit union faced due to data breaches at other entities.

“The ramifications of recent data breaches for credit unions and their members have been monumental,” Berger says. According to the February 2015 survey of NAFCU member credit unions, the estimated costs associated with merchant data breaches in 2014 were $226,000, on average, per credit union. The three main components of these costs were card reissuance, fraud loss and account monitoring. “Unfortunately, credit unions often never see any reimbursement for their costs associated with the majority of data breaches. Even when there are recoupment opportunities, such as the recent Target settlement with MasterCard, it is usually only pennies on the dollar in terms of the real costs and losses incurred,” Berger says in his written testimony.

NAFCU’s Key Data Security Principles 

NAFCU’s Board of Directors has established a set of guiding principles to help define key issues credit unions would like to see addressed in any comprehensive cyber and data security measures that might advance in Congress. These principles include:

  • Payment of Breach Costs by Breached Entities
  • National Standards for Safekeeping Information
  • Data Security Policy Disclosure
  • Notification of the Account Servicer
  • Disclosure of Breached Entity
  • Enforcement of Prohibition on Data Retention
  • Burden of Proof in Data Breach Cases

Preventing Future Data Breaches

“While some have said that voluntary industry standards should be the solution, the recently released Verizon 2015 Payment Card Industry Compliance Report found that four out of every five global companies fail to meet the widely accepted Payment Card Industry (PCI) data security standards for their payment card processing systems,” Berger says. The report also found that the use of EMV cards in other countries has not served as a “silver bullet” in preventing fraud; rather, it leads fraudsters to find other means of access.

Berger says NAFCU appreciates the introduction by Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo., of the bipartisan S. 961, the “Data Security Act of 2015,” which would bring retailers under a national standard similar to the GLBA requirements for financial institutions. He urges the introduction of a House companion measure.

In closing, Berger says, “Consumers will only be protected when every sector of industry is subject to robust federal data safekeeping standards that are enforced by corresponding regulatory agencies. It is with this in mind that NAFCU urges Congress to modernize data security laws to reflect the complexity of the current environment and insist that retailers and merchants adhere to a strong federal standard in this regard.”

The National Association of Federal Credit Unions is the only national trade association that exclusively represents the interests of federally chartered credit unions before the federal government and the public.

To read Berger’s full testimony, click here.

More News