WASHINGTON (3/6/13)--Inconsistent data security standards need to be addressed before a solution to merchant data breaches can be achieved, the Credit Union National Association said in a Wednesday letter to the U.S. Congress.
The letter was sent for the record of a House Financial Services subcommittee on financial institutions and consumer credit entitled "Data Security: Examining Efforts to Protect Americans' Financial Information." Subcommittee members Rep. David Scott (D-Ga.) and Spencer Bachus (R-Ala.) during the hearing queried government witnesses on the need for merchants to be under uniform data security and consumer notification standards.
CUNA, the National Credit Union Administration and others have recently called for data security standard parity between merchants and financial institutions.
"Simply put: credit unions and other financial institutions are subject to high data protection standards under the Gramm-Leach-Bliley Act; merchants are not. When merchant data breaches occur, financial institutions--not merchants--bear the costs of replacing credit and debit cards and fraud costs," CUNA President/CEO Bill Cheney wrote.
The Target data breach cost credit unions an estimated $30.6 million, and future fraud could increase these costs, CUNA said. Merchant data breaches are a top credit union concern. "It is an issue of such great concern because these breaches cost credit unions and their members significantly, and they divert resources from other credit union activity, including lending," Cheney wrote.
"Until and unless merchants are held accountable for the damages that breaches to their systems cause financial institutions and consumers, we have little confidence that they will be incentivized to properly secure their systems," the letter added.
To address credit union data security concerns, CUNA suggested that Congress:
- Hold all payment system participants to comparable levels of federal data security requirements;
- Hold those responsible for the data breach responsible for the costs of helping consumers; and
- Ensure consumers know where their information was breached.
"Credit unions also support legislation that requires merchants to provide notice to those consumers affected by a data breach, and permits credit unions to disclose where a breach occurs when notifying members that their account has been compromised...Consumers need transparency and knowledge to understand where their data has been put at risk," the letter said.
CUNA also encouraged the committee to hold additional data breach hearings.
For the full letter, use the resource link.