MINNEAPOLIS (12/7/15)--The Minnesota Credit Union Network (MnCUN) eight years ago set the stage at the state level for last week’s proposed $39 million settlement between Target and credit unions and other financial institutions that sued the retailer for its massive data breach in 2013.
These legislative efforts by MnCUN and its Minnesota credit unions overcame significant odds considering very few in the financial industry or the business community were in support of such legislation.
The impetus for the 2007 state legislation came from the “frustration we were hearing from our credit unions for having to pay the costs of data breaches,” MnCUN President/CEO Mark Cummins told News Now. “More importantly, we wanted to help protect the personal financial information of our credit union members.”
The Minnesota Plastic Card Security Act, the first of its kind, prohibits businesses from retaining sensitive card stripe data after authorization of the transaction. It also requires a retailer to reimburse the costs incurred by any financial institution that issued payment cards affected by the breach of the retailer's system.
The biggest benefit of last week’s settlement is not so much the monetary aspect, Cummins said. Rather, it is a precedent of a monetary penalty that will force retailers to adopt the highest level of security and to reimburse financial institutions for the costs incurred as a result of a breach.
Target, which is based in Minneapolis, admitted the holiday season data breach affected roughly 40 million debit and credit card numbers and compromised the personal information of as many as 70 million customers. CUNA research found that credit unions incurred nearly $31 million in hard costs--not including any resulting fraud.
“We were hoping that being responsible for hard costs would encourage merchants to step up to better secure their information,” said Mara Humphrey, MnCUN vice president of governmental affairs. The legislation didn’t add regulations; rather it codified Payment Card Industry Data Security Standards (PCI DSS)--the standards to which merchants are held.
In its rebuttals, Target had argued that it did not have a “duty of care” relationship with financial institutions to secure payment information and as such be responsible for breach costs.
“This is a long-term strategy that going forward is going to help credit unions in the courts,” said Christopher Roe, senior vice president of corporate legislative affairs, CUNA Mutual Group. “Before this law, a large merchant typically would offer pennies on the dollar in a settlement. Now, they have an increased incentive and a duty of care to protect consumer financial information. MnCUN, along with Minnesota credit unions, led the way on this legislative strategy and should be commended for their foresight and innovated thinking in this area.”
In 2010, the state leagues in Nevada and Washington led similar efforts in which aspects of the Minnesota laws were adopted by incorporating PCI DSS for merchant responsibility as part of data security. These efforts, along with plastic card legislation supported by other leagues, are a prime example of collaboration within the credit union system and how state leagues are able to bring novel approaches in tackling some of the most complex public policy issues facing credit unions today, Roe noted.