FEDERAL WAY, Wash (1/24/08)--Credit Union National Association (CUNA) Board member Susan Streifel testified Tuesday for Washington state legislation that would make the costs associated with data breaches like the massive TJX Cos. breach the responsibility of the data breacher. Streifel is president/CEO of Woodstone CU, Federal Way. She told Washington state House and Senate committees that the credit union incurs significant costs to protect its members as a result of data breaches, even when there is no actual fraud. “Taking these aggressive steps to protect our members comes at a cost,” said Streifel. “If someone’s careless actions result in a financial loss, they should have to pay for it.” The hard cost of reissuing a plastic card is estimated at about $20; however, the cost of reissuance, member/customer care and maintenance, including soft costs, is estimated to be up to $100 and $180 per account. Two bills, SB 6425 and HB 2838, were introduced Jan. 8, during the opening days of the 2008 state legislative session. They are sponsored by Rep. Brendan Williams (D-22) in the House and Sen. Rosa Franklin (D-29) in the Senate. Written by the Washington Credit Union League (WCUL), the proposed legislation requires negligent data breachers to reimburse card-issuing financial institutions for costs associated with protecting their members or customers after a data breach. The bill would also deter financial fraud and identity theft in three ways:
* By requiring businesses accepting plastic cards to encrypt or dispose of sensitive consumer data promptly; * By making businesses that store sensitive consumer data but fail to meet basic security standards responsible for the costs of consumer notification and card replacement; and * By establishing a safe harbor for businesses that meet basic security standards.
“The league was delighted to have someone as passionate as Susan testify on behalf of this bill,” says WCUL President/CEO John Annaloro. “As a point of sound public policy, this proposed legislation provides a powerful financial incentive for data custodians to live up to generally accepted security standards.” SB 6425 and HB 2838 encourage all financial institutions to take steps to quickly re-issue compromised cards and monitor accounts, helping protect consumers from financial fraud and identity theft before then can occur. Washington state has enacted several statutes the past five years that help consumers protect themselves from identity theft and financial fraud. In 2005 the state legislature was one of the first to require data breachers to notify those affected by the breach. In 2007, the state passed credit freeze legislation allowing consumers to lock down their credit reports. Both bills were supported by WCUL. Bills similar to SB 6425 and HB 2838 were introduced in Minnesota, Massachusetts, Texas and California in 2007. However, the Minnesota bill was the only one enacted into law. Stacy Augustine, WCUL senior vice president and general counsel says that despite the uphill battle, the Data Breach Reimbursement Bill is showing promise of advancing in both the House and Senate. “We have some work to do as we move towards a compromise bill that will be accepted by all stakeholders,” says Augustine. “Nobody likes the idea of more liability, so we’ll do the best we can to make the bill as palatable as possible for retailers and small business. In the end though, we’re simply not going to agree on who should bear the burden for this type of negligence.” At least one more hearing in each house will need to take place before either bill makes it through the legislative process.