Removing Barriers Blog

League Advocacy Paves the Way for Target Settlement
Posted December 07, 2015 by CUNA Advocacy

Steps taken by the Minnesota Credit Union Network (MnCUN) eight years ago set the stage for last week’s proposed $39 million settlement between Target and credit unions and other financial institutions for the retailer’s massive data breach in 2013.

These legislative efforts by MnCUN and its Minnesota credit unions overcame significant odds considering very few in the financial industry or the business community were in support of such legislation.

The impetus for the 2007 state legislation came from the “frustration we were hearing from our credit unions for having to pay the costs of data breaches,” MnCUN President/CEO Mark Cummins told News Now. “More importantly, we wanted to help protect the personal financial information of our credit union members.”

The Minnesota Plastic Card Security Act, the first of its kind, prohibits businesses from retaining sensitive card stripe data after authorization of the transaction. It also requires a retailer to reimburse the costs incurred by any financial institution that issued payment cards affected by the breach of the retailer's system. The legislation didn’t add regulations; rather it codified Payment Card Industry Data Security Standards (PCI DSS)--the standards to which merchants are held.

The biggest benefit of last week’s settlement is not so much the monetary aspect, Cummins said. Rather, it is a precedent of a monetary penalty that will force retailers to adopt the highest level of security and to reimburse financial institutions for the costs incurred as a result of a breach.

Target, which is based in Minneapolis, admitted the holiday season data breach affected roughly 40 million debit and credit card numbers and compromised the personal information of as many as 70 million customers. CUNA research found that credit unions incurred nearly $31 million in hard costs--not including any resulting fraud.

In 2010, the state leagues in Nevada and Washington led similar efforts in which aspects of the Minnesota laws were adopted by incorporating PCI DSS for merchant responsibility as part of data security.