Contact: Patrick Keefe
CUNA Communications, 202-508-6765

Merchants should be held to the same data security standards as credit unions and other financial institutions when they handle financial transactions, and financial institutions should be permitted to disclose the source of a data breach and seek reimbursement from the merchant for breach costs, the Credit Union National Assn. (CUNA) wrote to a subcommittee chairman holding a hearing today on data security.

In the letter to Rep. Renee Ellmers (R-N.C.), chairman of the health and technology subcommittee of the House Small Business Committee, CUNA President and CEO Bill Cheney called data security a "critical issue, and noted that the chain of data security is only as strong as its weakest link.

"A data breach can occur anywhere along the payments transaction, from the merchant, to the merchant bank, the issuing card bank, and ultimately the financial institutions," Cheney wrote. "Credit unions are subject to very high data security standards under the Gramm-Leach Bliley Act of 1999 (GLBA).[1]  However, merchants are not required to follow these standards, and until they are held to the same standard, consumers will remain vulnerable to a system that does not protect their information."

The complete text of CUNA's letter for the record of the hearing follows:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

December 1, 2011

The Honorable Renee Ellmers
Subcommittee on Health and Technology
Committee on Small Business
U.S. House of Representatives
Washington, D.C. 20515

Dear Representative Ellmers:

On behalf of the Credit Union National Association (CUNA), I am writing regarding today's hearing entitled, "Cyber Security: Protecting Your Small Business." This is a very important and timely subject and we welcome the opportunity to file a statement for the hearing record.  CUNA is the largest credit union advocacy organization in the United States, representing nearly 90% of America's 7,400 state and federally chartered credit unions and their 94 million members. 

The chain of data security is only as strong as its weakest link.  A data breach can occur anywhere along the payments transaction, from the merchant, to the merchant bank, the issuing card bank, and ultimately the financial institutions.  As we describe below, credit unions are subject to very high data security standards under the Gramm-Leach Bliley Act of 1999 (GLBA).[2]  However, merchants are not required to follow these standards, and until they are held to the same standard, consumers will remain vulnerable to a system that does not protect their information. 

We encourage Congress to consider legislation that holds merchants to the same standards as financial institutions when they handle financial transactions, and that permits financial institutions to disclose the source of the data breach and seek reimbursement from the merchant for the cost of the breach.

Merchant Data Breaches
Merchants benefit greatly from the electronic payments system. The largest benefit to the merchant is the elimination of risk they would otherwise have to assume if the transaction were paid with cash (theft risk, handling and security costs) or a check (bounce risk, which includes non-payment and collection expenses). Merchants also benefit from ?streamlined accounting, reduced credit risk, faster check-out and increased purchase amounts compared to checks or cash.[3]

With the electronic payment system, card issuers, such as credit unions, assume all of the risk and guarantees the merchant will receive payment. In the process, the consumer receives a very important service: an efficient, convenient, seamless, and universally-accepted transaction. That very consumer service redounds to the benefit of merchants. The easier it is for a consumer to access his or her funds at the point of sale, the more likely he or she is to spend them on the goods or services the merchant is offering. There is tremendous benefit and value attached to the debit card, as evidenced by the significant increase in its acceptance by merchants and its use by consumers over the last decade.

The question is: What happens when something goes wrong?  Unfortunately, merchant data breaches happen, and experience tells us, it is the card issuers who take the loss and take steps to protect the consumers.  In the event of a merchant data breach there are no federal requirements for merchants to notify consumers of that breach.  The onus of notification to the consumer lies on the financial institution that issued the payment card.  However, financial institutions cannot specify which merchant was responsible for the breach and also bears the costs of issuing new payment cards, and making any loss to the consumer's account whole. The merchant bears no financial responsibility in the case of a data breach.

For instance, in May 2011, the retailer, Michael's, experienced a large breach of customer data.  Michael's was not required to contact its customers, but they did.  Nevertheless, in statement issued by Michaels, it advised "consumers who believe their accounts were used without authority" to "contact the card issuer directly."  As a result of this breach, credit unions had to determine which states were involved, monitor potentially compromised member accounts, manually reduce limits for both ATM and PIN transactions, closely monitor the ATM transaction in affected states, notify members of potential fraud on their accounts, issue new debit cards to members whose accounts had been compromised, and refund money to those members who were victims of the fraud.  Credit unions took the responsibility associated with the costs of this breach, not Michael's.

Merchants are not subject to federal data security requirements, nor are they financially liable for damages. In some cases, merchants do not even face reputational risk as a result of a breach because they are not required, under federal law, to disclose a breach.  The financial institutions of consumers affected by the breach in most cases do not know the source of the breach, and when the source is known, are not permitted to identify the merchant responsible.  While there are industry standards, merchants are not required by law to follow these standards.[4]   

Until there are consequences to these bad actions, voluntary standards will not be sufficient to protect consumers. It is common sense that if merchants receive benefits from debit cards payments that they should be subject to the same high data security standards as financial institutions.  To protect consumers, Congress should require merchants to be regulated to at least the same extent that financial institutions are when it comes to data security.  In the event of a merchant data breach, Congress should allow financial institutions to name the source of the merchant data breach and require the merchant responsible for the breach to be financially liable for the cost of the breach on the affected consumers and financial institutions.

Data Security Requirements for Credit Unions

The National Credit Union Administration (NCUA), implements data security standards for credit unions, as does the Federal Financial Institutions Examination Council (FFIEC), of which NCUA is a member.[5] 

Credit unions are subject to data security requirements as required by §501(b) of the GLBA and Part 748 of the NCUA's regulations. Specifically, under §501(b) of the GLBA, Congress required NCUA and other federal financial regulators to establish standards to ensure financial institutions protect the security and confidentiality of the nonpublic personal information of their members or customers. 

Part 748 of NCUA's regulations requires credit unions to establish a comprehensive data security program addressing the safeguards for customer records and information. These safeguards are intended to insure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against any unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer.  In addition, Part 748 also requires credit unions to develop and implement "risk-based" response programs to address instances of unauthorized access to member information.

Data security requirements under the GLBA and NCUA's regulations are subject to the supervision and enforcement of NCUA for federal credit unions or the state supervisory agencies for federally-insured state-chartered credit unions.  Additionally, the Federal Trade Commission has enforcement authority for compliance with these requirements for state-chartered credit unions.

Federal banking agencies have developed and published additional information security requirements which cover specific threats and mitigation of identified risks.  The FFIEC has issued specialized IT handbooks that outline cyber security requirements for all depository institutions within the banking and finance sector.  The FFIEC IT Handbooks are actually comprised of 11 separate booklets, and are very similar to the current cyber security guidance that pertains to federal agencies.  The IT Handbook addresses various topics, including (1) audit, (2) business continuity planning, (3) development and acquisition, (4) electronic banking, (5) information security, (6) management, (7) operations, (8) outsourcing technology services, (9) retail payment systems, (10) supervision of technology service providers, and (11) wholesale payment systems.  Credit unions are required to adhere to this FFIEC guidance and these requirements are incorporated into NCUA's examination practices for credit unions, as further detailed below.

The methodologies that federal banking regulators including the FFIEC and NCUA use to provide oversight and supervision vary, but include periodic  examinations, self-reporting, and other administrative and legal supervisory actions to enforce compliance.

NCUA has also issued regulations that outline data security and anti-identity-theft requirements, along with publishing agency Letters to Credit Unions, Regulatory Alerts, Legal Opinion Letters and final regulation Part 748 addressing credit union security programs.  NCUA's examiners use Automated Integrated Regulatory Examination Software (AIRES) consisting of multiple information technology examination questionnaires to assist with reviewing a credit union's information systems and technology.  These AIRES examination questionnaires incorporate all of the supervisory requirements contained within the FFIEC's IT Handbooks previously discussed.  Each of these additional regulatory measures and guidance documents have been developed over the last several years in response to data security and other cyber security and consumer protection laws, some of which include the GLBA and the Fair Credit Reporting Act.

Additionally, Part 716 of NCUA Rules and Regulations governs credit unions' use of customer and member non-public personal information, in accordance with Title V, Subtitle A of GLBA, which contains various requirements including prohibitions on sharing of account numbers, a requirement that all credit unions provide privacy notices to members and customers, and when applicable, credit unions must also provide a conspicuous notice that explains the right of the person whose non-public personal information is going to be shared with certain nonaffiliated parties to "opt out," and credit unions must provide a reasonable means by which and a reasonable time in which the person may exercise the opt-out right.  Other provisions of Part 716 include a prohibition on sharing account numbers with third parties for marketing purposes, and limitations on the re-disclosure and reuse of information shared with nonaffiliated third parties.  


Data security is a critical issue, and it is clear that there are areas where Congress needs to consider legislation.  To protect consumers, Congress should require merchants to meet the same high standards for data protection to which financial institutions are subject.  In addition, Congress should permit financial institutions to disclose the source of data breaches affecting their members or customers, and merchants should be required to reimburse consumers and financial institutions for the costs associated with data breaches.

On behalf of America's credit unions and their 94 million members, thank you again for holding this hearing.  We appreciate your leadership on this issue.

Best regards,
Bill Cheney
President & CEO
Credit Union National Association (CUNA)

# # #
Right Promo- Membership