The data security breach at Target Corporation came at the worst possible time for holiday shoppers. The breach was announced on Dec. 18, meaning that in addition to last-minute shopping and getting ready for the holidays, consumers had to wonder, “Should I cancel my card? How can I finish shopping if a limit is put on my card? Is it safe to shop at other big-box stores?”
The burden also fell to credit unions, which were put in the position of deciding whether to limit cards and how best to monitor accounts – not to mention the compromised accounts they had to close and reissue cards for.
The news that at least 40 million (now estimated at between 70 and 110 million) credit and debit card accounts were compromised between Thanksgiving and the middle of December hit both consumers and financial institutions hard – but what about retailers? Target was the weak link in the situation – why didn’t the burden fall to them?
Bad publicity and skittish shoppers aren’t enough. NAFCU was the first to call for merchants to be held fully responsible for data security breaches on their end, and this latest big breach – the third largest credit card breach in U.S. history – only strengthened our resolve to get that message across to lawmakers.
The passage of data security requirements for merchants is a key element of NAFCU’s five-point plan for credit union regulatory relief, which was sent to Congress last February. We knew then, as we know now, that these breaches are not on the way out any time soon. They happen, and they will continue to happen. Neiman Marcus has already admitted to a data security breach on their end in recent weeks as well. Credit unions shouldn’t be the ones left holding the bag.
Right now, retailers do not have enough incentive to spring for better data security because they won’t be ultimately responsible when the security fails. Meanwhile, credit unions must pay for the mistakes of others. Until this situation changes, consumers will remain at risk.
NAFCU has been on Capitol Hill working with lawmakers to promote data security measures that would make a difference for consumers. Chief among our priorities are:
- a requirement that merchants be accountable for costs of breaches on their end;
- a requirement that any business entity responsible for the storage of consumer data meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act;
- a requirement that merchants post their data security policies at the point of sale if they take sensitive financial data;
- a requirement for the timely disclosure of the identities of breached companies and merchants;
- measures to address violations of existing agreements and law by merchants and retailers who retain payment card information electronically;
- notification of the account servicer or owner, including a financial institution, of any compromised personally identifiable information associated with the account;
- a duty for any breached merchant or retailer to demonstrate all necessary precautions were taken to guard data.
Consumers can’t afford to wonder if their sensitive information is at risk every time they go shopping – but until big retailers know that they will be held responsible, the uncertainty will continue.
NAFCU has been working to help its members respond to the Target breach. Each credit union must decide what approach is best for its members, but certain operational controls may be necessary depending on the number of accounts affected: monitoring or closing the accounts, and reissuing cards. Credit unions should also examine their liability for unauthorized transactions under Regulations E and Z. We recommend credit unions stay in touch with their members and make sure established practices are in place for dealing with such situations in the future.
As I’ve said, credit unions can be prepared to the extent possible, but nothing will cut down on data security breaches like the threat of real consequences for negligent merchants. Everyone is in this together, and responsibility should be balanced accordingly.