CUs Can't Afford to Continue to Bear Costs From Merchant Breaches

By Kim Sponem

Screen Shot 2018-02-23 at 1.09.36 PM

As head of a member‐owned financial institution, I know far too much of our and our members’ money has been lost dealing with data breaches at retailers, other merchants, and services providers across the country.  The biggest breaches make headlines, but others occur on a more local level. 

Indeed, data breaches have hit both national retailers, such as Target and Home Depot, and small businesses alike.  An annual fraud and risk survey conducted by Kroll, Inc. found that in 2017, data theft has surpassed the stealing of physical assets.  Businesses simply are not using strong enough data security measures to ensure sensitive consumer information is protected.

Financial institutions bear the brunt of the costs when merchant data breaches occur.  Many data breaches result in compromised payment cards. To limit fraudulent transactions, credit unions immediately deactivate the cards and send members new cards.  Not only do credit unions incur the cost of fraud losses, reissuing cards, and of increased monitoring for fraudulent activity, but their members worry about identity theft and are inconvenienced when their cards are reissued.  This brings serious reputational risk to us, as these compromised cards have our logo on them.  

The theft of sensitive consumer information also leads to additional challenges for credit unions because our ability to verify a customer’s identity and creditworthiness is compromised.  This cost, effort, and reputational risk is in addition to the resources we’re spending for top‐of‐the‐line data security required of financial institutions by the Gramm‐Leach‐Bliley Act.

Credit unions have testified before Congress numerous times about the need for increased data security standards for businesses that handle sensitive consumer information.  

What Legislation Must Do

Any legislation must:

  • Be scalable to the size and complexity of the organizations.  This would ensure everything from a corner store to a big box retailer has the proper barrier in place to protect sensitive information
  • Contain requirements for the impacted party to notify consumers, law enforcement, and regulators when there is a reasonable risk of sensitive information being exposed.  This would ensure that consumers are able to take necessary steps to protect themselves in a timely manner, not months after a breach is detected
  • Create a federal national data security standard ensuring all consumers receive the same protection. 

Companies can do better when it comes to protecting sensitive consumer information.  Through its legislative advocacy efforts and participation in data breach litigation, including the Target, Home Depot, and Equifax class actions, CUNA is fighting to ensure that financial institutions are protected when data breaches occur.  Join us at the CUNA Governmental Affairs Conference on Monday, Feb. 26 at 2:45 (ET) dedicated to discussing developments to support secure payments.  

As the payments system evolves with the implementation of real‐time payments, mobile payments and the rise of digital currency information, credit unions know that security has never been more important.

Credit unions, with our partners at CUNA, will continue to push for a strong, national data security standard, but we need Congress to take the next step and pass a bill.  Congressional action is necessary to create a nationwide standard that requires businesses to shoulder their share of the cost to protect sensitive customer information and to be held accountable when they fail to properly do so.

Kim Sponem is the president/CEO of Summit Credit Union and recently testified before Congress on behalf of CUNA regarding data breaches

Section: Standard
Word Count: 712
Copyright Holder:
Copyright Year: 2019
Is Based On: