| Legislative Affairs | Political Affairs | Compliance | Regulatory Advocacy | |
| Training | Products & Services | Research & Statistics | Strategic Services | Consumer Information |
110th CONGRESS, LEGISLATIVE ISSUES A - Z
DATA SECURITY
ISSUE: There have been increasing problems over the theft of sensitive information resulting from data security breaches. The frequency of major credit data compromises continue at an alarming rate, resulting in severe consequences on American consumers, credit union members and the financial institutions that issue credit and debit cards - particularly credit unions and small banks.
The first major security breach to impact credit unions resulted in 2004 when hackers stole a large amount of consumer information from the retailer, BJ's Wholesale Club. In this instance, the retailer was in direct violation of the card association rules and regulations, which resulted in thousands of credit union members' personal information being compromised. TJX Cos. reported in August 2007 that losses from a data breach earlier in the year may exceed $150 million after taxes, with 45.6 million credit and debit card numbers stolen from one of its systems resulting in the most costly data theft in history. Financial institutions, including many credit unions, lost hundreds of thousands of dollars in costs due to card replacement and the fraudulent use of numbers. At this time, merchants are not held to the same standards in protecting sensitive account data, defeating efforts made by card issuers to comply with current regulation and law.
Legislative Initiatives: A number of bills have been introduced this Congress that are aimed at protecting consumers' personal identifying information. The House Financial Services Committee has not yet introduced a comprehensive data security bill.
CUNA POSITION: CUNA supports legislation that would prohibit the retention of sensitive, identifying information by merchants and certain non-financial companies from plastic card magnetic strips that could be obtained in connection with financial transactions, including the imposition of fines for failure to comply. CUNA would like to see initiatives pursued that would require the major credit card companies to notify financial institutions when a breach has occurred, and for financial institutions to be able to disclose the source of the breach to the consumer. Specifically, an electronic notice should be issued by the credit card companies to the financial institution containing the following information: when a breach occurred; which merchant is responsible for that breach and which accounts are affected; and, what type of personal information was compromised.
CUNA also supports the requirement that the breaching party (i.e., the merchant) reimburse the consumer or financial institution for any losses incurred, as well as a uniform national standard.
OPPOSING VIEWS: There is much debate among business groups and privacy advocates about how far a national notification standard should go, and whether or not it should pre-empt state laws. Additionally, it is likely the merchant community, which would be placed under new regulation and possibly some sort of indemnity, would oppose efforts to strengthen data security laws, and possibly the credit card companies if the proposed regulations are viewed as too burdensome.
IMPACT ON CREDIT UNIONS: Data security breaches have negatively impacted credit unions, exposing their members and consumers to identity theft and fraud. Without being able to disclose the source of the breach, credit unions are exposed to "reputation risk" - the loss of confidence in the credit union by the members, in addition to actual monetary costs.
STATUS/OUTLOOK: Six committees between the House and the Senate have introduced their own legislation. Due to jurisdictional battles between several committees last Congress, data security legislation was not enacted. Similar bills have been reintroduced for the 110th Congress.
House Financial Institutions and Consumer Credit Chairwoman Carolyn Maloney (D-NY), and Ranking Member Paul Gillmor (R-OH), introduced the Identity Theft Prevention Act (H.R. 3316) which would allow consumers to freeze access to their credit files. Consumers may temporarily or permanently remove a freeze within 15 minutes when making the request by phone or online.
Rep. Tom Price (R-GA) introduced the Data Security Act of 2007 (H.R. 1685) which would retain existing security requirements for financial institutions and keep enforcement with the functioning regulators.
Reps. Bobby Rush (D-IL), Chairman of the Subcommittee on Commerce, Trade and Consumer Protection and Ranking Member Cliff Stearns (R-FL), introduced the Data Accountability and Trust Act (H.R. 958). This bill requires the FTC to promulgate rules regarding entities engaged in interstate commerce to establish security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.
Senate Banking Economic Policy Chairman Tom Carper (D-DE) and Sen. Bob Bennett (R-UT) introduced the Senate version of the Data Security Act of 2007 (S. 1260) and is similar to Rep. Price's bill (H.R. 1168).
The Senate Judiciary Committee approved the Personal Data Privacy and Security Act of 2007 (S.495) by voice vote on May 3, 2007. This bill would subject depository institutions to breach notification rules written by the FTC and enforced by state attorneys general. Sponsored by Chairman Patrick Leahy (D-VT), S. 495 would also let consumers correct any personal information held by commercial data brokers.
The Senate Commerce Committee approved the Identity Theft Prevention Act (S. 1178) on April 25, 2007. Sponsored by Chairman Daniel Inouye (D-HI), the bill would allow consumers to freeze access to their credit files.
CONTACTS: Ryan Donovan, 202-508-6750, rdonovan@cuna.coop and John Hildreth, 202-508-6724, jhildreth@cuna.coop.
Related Documents:
Data Security Legislative Comparison of Key Credit Union Issues
Copyright © 2009 - Credit Union National Association, Inc.