The recent confirmation of a second data breach at Sally Beauty Holdings Inc., based in Texas, crystallized the continuing challenge consumers and financial institutions have regarding retail data breaches.  As Congress examines cyber security and data security issues, I hope lawmakers will keep in mind that as long as retailers lack national data security standards, consumers’ sensitive financial information will be ripe for cyberattacks.  As those attacks continue, financial institutions will continue to be left picking up the tab.

Credit unions and other financial institutions already protect consumers’ personal data under the provisions of the 1999 Gramm-Leach-Bliley Act (GLBA).  Unfortunately, there is no comprehensive regulatory structure similar to GLBA for other entities, such as retailers, that handle sensitive personal and financial data.

ADVERTISEMENT
At Government Employees Federal Credit Union in Texas, a not-for-profit, member-owned financial cooperative, we have had to absorb huge losses from data breaches at big retailers like Target and many others to make our members whole.  So far in 2015, we have incurred $22,080 in fraud costs that include reissuing cards, notifying members and covering the fraud that has occurred on our member accounts. That figure is nearly as high as our total fraud cost for 2014.   At this rate, our total fraud costs for 2015 could be as high as $61,000 or $6.61 per member.

While that number may not seem like much in Washington, these costs are significant for our small credit union and its 10,018 members.  Our credit union is just one of the thousands of credit unions that are experiencing outrageous data breach costs from the continued lack of national data breach standards for retailers.  A February 2015 survey of the National Association of Federal Credit Unions’ (NAFCU) members found that the average credit union respondent spent $136,000 on data security measures in 2014 and that the estimated costs associated with merchant data breaches in 2014 were $226,000, on average, per credit union.

By contrast, a 2015 Columbia University review of merchants’ financial statements such as Target and Home Depot reveals that retailers barely notice a financial hit from massive data breaches, and breach costs were less than one-tenth of 1 percent of these giant retailers’ 2014 annual sales.

Voluntary standards have proven to be poor protection for consumers as the retailers get paid for the products and services without having to protect their data systems at considerable cost.  The recent findings of the Verizon 2015 Payment Card Industry Compliance Report found that 80 percent of global retailers fail to meet widely accepted Payment Card Industry (PCI) data security standards.

I hope Congress will finally act to hold retailers accountable for data breaches on their end. The recent introduction by Sens. Tom CarperTom CarperOvernight Energy: Trump White House kicks off 'Energy Week' Senate confirms NRC chairwoman to new term Dems push for more action on power grid cybersecurity MORE (D-Del.) and Roy BluntRoy BluntOvernight Regulation: Senate Banking panel huddles with regulators on bank relief | FCC proposes 2M fine on robocaller | Yellowstone grizzly loses endangered protection Overnight Finance: Big US banks pass Fed stress tests | Senate bill repeals most ObamaCare taxes | Senate expected to pass Russian sanctions bill for second time GOP senator: 'No reason' to try to work with Dems on healthcare MORE (R-Mo.) of the bipartisan S. 961, the “Data Security Act of 2015,” and the companion House bill introduced by Reps. Randy NeugebauerRandy NeugebauerWarren’s regulatory beast is under fire – and rightfully so Dem senators to Trump: Don't tell consumer bureau chief 'you're fired' Overnight Finance: Carson, Warren battle at hearing | Rumored consumer bureau pick meets Trump | Trump takes credit for Amazon hirings | A big loss for Soros MORE (R-Texas) and John Carney (D-Del.) H.R. 2205, is the ideal bill currently before Congress in that it would both set national data security standards for retailers akin to GLBA while acknowledging financial institutions’ existing adherence to GLBA standards.

The current situation continues to compromise the safety of consumers’ sensitive financial and personal information, and it jeopardizes the safety of our economy.  Congress must put an end to the free ride retailers have been enjoying and pass national data security standards for them.

Crisp is president and CEO of Government Employees Federal Credit Union, a full-service financial institution with $132 million in assets that serves 10,018 members based in Austin, Texas.