Credit unions renew push for data security law

Credit unions are repeating their calls to Congress to establish federal data security standards.

In a letter on Wednesday to congressional leadership, the National Association of Federal Credit Unions pointed to recent high-profile data breaches, including one at Target that impacted the financial and personal information of tens of millions of consumers.

"How many more consumers will have to be affected before Congress will act?" the group wrote.

ADVERTISEMENT
The recent data breaches, including those suffered by Target, Neiman Marcus and hotel company White Lodging, have raised the issue of federal data security standards in Congress.

Among a series of hearings and calls for action earlier this year, lawmakers — including Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.), Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.), and Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) — have introduced legislation aimed at heightening data security standards.

In its letter this week, the credit union group urged Congress to create federal standards to protect consumers and financial institutions.

While financial institutions are subject to federal data security standards, "retailers and many other entities that handle sensitive personal financial data are not subject to these same standards, and they become victims of data breaches and data theft all too often," the letter said.

The group outlined the costs of data breaches on credit unions, such as monitoring accounts for fraud and issuing new credit cards.

Credit unions "suffer steep losses in re-establishing member safety after a data breach occurs," the letter said.

The credit union group pushed back on the idea that financial institutions should "expedite the switch" away from traditional credit cards with magnetic strips to those that use "chip and PIN" technology.

While some — including some members of Congress — want to push financial institutions to adopt the technology more quickly, the chip and PIN technology "is no panacea for data security and preventing merchant data breaches," the group said.

That technology "does not protect against online fraud" and only heightens security of customer data if retailers also adopt the technology, the letter said.

Instead, Congress should establish standards to protect consumers from data breaches, the group wrote.

The relevant companies should have to alert financial institutions when they suffer data breaches and shoulder some of the data-related costs that credit unions face, "especially when [the companies'] own negligence is to blame," the letter said.

Additionally, Congress should require that companies limit their data retention, be more transparent about their data protection policies and tell customers when their systems have suffered from a data breach, the letter said.

"The colossal scale of recent data breaches continues to demonstrate the necessity for Congressional action."