Hackers and cyber-criminals keep hitting the repeat button on data breaches: Every week, it seems there is a new headline of yet another violation that has affected one of our nation's retailers. It’s time for retailers to come to the table to put a stop to the excessive number of data breaches and protect American consumers. 

The year got underway with the immediate aftermath of the Target breach, which resulted in the violation of at least 40 million records of credit and debit card sales. The worst offense happened this fall with the Home Depot breach, whose 56 million affected consumer records make it the biggest retail breach in history. 


In between those behemoth breaches, we saw nearly weekly additional occurrences at Supervalu, Jimmy John’s, Neiman Marcus, P.F. Chang’s, Michaels, Staples, Dairy Queen—the list goes on and on. Sadly, no end is in sight: More than 500 data security breaches have occurred in 2014 so far, exposing more than 75 million data records. Between now and year’s end, and particularly with the holiday shopping period in full swing, our nation's retailers are likely vulnerable to additional breaches. 

What is particularly frustrating to us, as the leaders of national trade groups representing credit unions and community banks, is that little attention is given to strengthening the weakest points where these violations occur—U.S. retailers—and thereby reducing these costly breaches and their effect on consumers. 

But first things first—how did we get here? Why is this personal financial data so easy for criminals to attain? 

Under current law, merchants are not subject to the same federal data-protection standards as are financial institutions under the Gramm-Leach-Bliley Act. It’s simply easier for hackers to go through merchants to gain access to credit and debit card information and other sensitive data. As long as the security standards on the merchant side of the system are weaker than those for financial institutions, the vulnerability for consumers and financial institutions is at the point of purchase. 

Meanwhile, merchants have little incentive to address their security flaws, because financial institutions are responsible for cleaning up their mess. The instant criminal hackers gain access to consumer financial data, they sell the information to the highest bidders. Protecting the consumer then becomes the duty of financial institutions—leaving banks and credit unions on the hook for fronting the bill. 

It is unacceptable that retailers are not covered by any federal laws or regulations requiring them to protect data and notify consumers when they are breached. While merchants and financial institutions are both targets of these attacks, financial firms have developed and maintain robust internal protections to combat criminal attacks and are required to protect this information and notify consumers when a breach puts them at risk. 

Additionally, while retailers make claims that they reimburse costs when they are hacked, financial institutions have still not been fully reimbursed for any of the costs they suffered as a result of the Target breach nearly a year ago. To date, the Target and Home Depot breaches alone have cost credit unions and their member-owners at least $90 million, according to CUNA survey results. ICBA estimates that community banks spent more than $40 million following the data breaches at Target and Neiman Marcus. It’s important to remember that financial institutions not only must cover the costs of fraudulent charges, but also the costs of blocking transactions, reissuing cards, increasing staff to handle inquiries and monitoring consumer accounts. 

Further, the onslaught of these recent breaches touches consumers directly.  Once a card is breached, financial institutions disable the card to protect against additional consumer loss. While every effort is made to send replacement cards as soon as possible, there is a period of time when consumers do not have a card. Think of the havoc that can have on the lives of consumers who must have their cards available for use, but do not – through no fault of their own. 

Several retailers have argued that improved technology can help reduce fraud and strengthen data security. While we agree that new payment systems can help, advances in technology must be accompanied by strong internal data-protection standards and robust regulatory oversight for the safe keeping of financial data and cost liabilities in the event of an attack. 

We all want consumer data kept out of the hands of criminals—but today there is no end in sight to stopping data breaches. The incoming Congress should take the common-sense action of passing legislation to protect consumers by taking steps to enhance data-security standards for merchants. Doing so will help stop cyber-criminals from hitting the repeat button on retail data breaches and better safeguard consumer information. 

Nussle is president and CEO of the Credit Union National Association (CUNA); Fine is president and CEO of the Independent Community Bankers of America (ICBA).