WASHINGTON (2/3/14)--Congress should take a broad look at how consumer data is secured and the improvements that are necessary to prevent future breaches from taking place, the Credit Union National Association said in a letter submitted for the record of a Senate Banking Committee data security hearing scheduled this week.
The hearing, entitled "Safeguarding Consumers' Financial Data," follows last year's Target data breach. That breach resulted in the theft of 40 million debit and credit cards, and encrypted PIN data, and the names, mail and email addresses, and phone numbers of up to 70 million individuals. Credit unions have already incurred costs estimated to be in the range of $25 million to $30 million as a result of the Target stores data security breach, according to a CUNA survey.
In a letter sent today to Senate Banking national security and international trade and finance subcommittee Chairman Mark Warner (D-Va.) and Ranking Subcommittee Member Mark Kirk (R-Ill.), CUNA President/CEO Bill Cheney encouraged Congress to take a holistic approach to addressing data security issues.
"Focusing on one payment method as the absolute answer to solving data security breaches is both shortsighted and distracts from the greater need of a federal data security framework for all entities," he wrote.
"Data breaches occur, in part, because merchants are not required to adhere to the same statutory data security standards that credit unions and other financial institutions must follow, and merchants are rarely held accountable for the costs others incur as a result of the breaches. All participants in the payment process have a shared responsibility to protect consumer data, but the law and the incentive structure today allows merchants to abdicate that responsibility, making consumers vulnerable," Cheney said.
He noted the many steps credit unions have taken since the breach to protect their members, and said some credit unions also face reputational damage due to the breach.
Cheney in the letter said credit unions support three basic principles for data security fixes:
All participants in the payments system should be responsible and be held to comparable levels of data security requirements;
Those responsible for the data breach should be responsible for the costs of helping consumers; and
Consumers should know where their information was breached.
"Consumers need transparency and knowledge to understand where their data has been put at risk," Cheney added.
Similar points will be raised in separate letters to the House Energy and Commerce subcommittee on commerce, manufacturing, and trade and the Senate Judiciary Committee. Those groups have set their own data security hearings for this week. (See Jan. 31 News Now
: House, Senate add data security hearings to next week's agenda.)