MADISON, Wis. (12/8/14)--With last week's news that yet another national retailer experienced a data breach, credit unions continued to hammer home the message that retailers must share the responsibility of costs incurred as a result of losses experienced in such instances.
Women's retailer Bebe Stores Inc., with 200 stores nationwide, confirmed a data breach hit its payments system between Nov. 8 and 26 (Fortune Dec. 5).
The attack may have included illegal access to cardholder data, including account numbers, expiration dates and verification codes.
The attack comes a little more than a year after the Target breach, the which was the beginning of a spate of attacks on retailers--and placed a new level of awareness on the need for new data breach standards for merchants.
"2014 was definitely a turning point," Jody Dabrowski, assistant vice president of risk management at $531 million-asset Community Choice CU in Farmington Hills, Mich., told Click on Detroit (Dec. 4.)
In the current environment, "while financial institutions must meet lofty standards for data security, retailers and their processors have no such standards," Steve Swofford, president/CEO of $640 million-asset Alabama CU, Tuscaloosa, Ala., wrote in a letter to the editor published on AL.com (Dec. 5). "Retailers have opposed legislation, nationally and in Alabama, that would require better data security, penalize negligent retailers and provide immediate notification of suspected breaches."
Retailers have also been reluctant to install technology to accept chip cards, which would offer consumers more protection, Swofford wrote. "New standards, coming in October 2015, will transfer liability to retailers if they decline to adopt this technology," he wrote.
In Maine, credit unions are already piloting EMV cards for members, according to the Maine Credit Union League (Weekly Update Dec. 5). "We anticipate that Maine credit unions will be well-prepared when retailers are expected to have new systems ready to accept the technology by October 2015," league president John Murphy said in an interview with Mainebiz.com (Dec. 1). "We welcome the fact that at that time card companies will begin to shift the liability of data breaches involving signature-based transactions to retailers."
That day can't come soon enough for credit unions. In Maine, data breaches in the past year have cost state credit unions around $2 million for the replacement of credit and debit cards and an additional $500,000 for covering fraud, Murphy said.
"There's a lot of labor associated in handling all of this," Murphy told the publication.
In a Dec. 5 article, Buffalo Business First described the labor-intensive process that a breach warning initiates at $40 million-asset Western New York FCU, West Seneca, N.Y.
First, the credit union receives notification from its card vendor with a list of card numbers that might have been exposed. Then employees spend hours matching the numbers to member accounts. They send letters to the affected members, informing them of a potential security lapse, and shut down every card on the list. They make arrangements to replace the cards as soon as possible, whether or not there has been actual fraud.
Since last December the credit union has re-issued nearly 1,000 debit cards at risk of being compromised--some of them twice.
"It's brutal," Marie Betti, president/CEO Western New York FCU, told Buffalo Business First. She estimates the credit union spends nearly $6 to replace a single card. That doesn't include the cost of employees working an additional 130 hours so far this year on breaches, she said.
Alfred Frosolone, CEO of Niagara's Choice FCU, Niagara Falls, N.Y., with $137 million in assets, told Buffalo Business First that some of its 23,000 members stopped using debit cards to avoid the risk of data breaches. Others "almost expect" to be hit by a breach at some point, he said.
The League of Southeastern Credit Unions advised its member credit unions to be on the lookout for another type of cyberattack: email scams (eSignal Daily Dec. 5).
"Email scams are not new," the league advised. "They have been around since the invention of email. However, this time of year they are more prevalent. Plus, they have become more sophisticated."
The league explained that when a major retailer experiences a data breach, not only is debit/credit card information stolen, oftentimes email addresses are stolen, offering criminals a means of access.
The Credit Union National Association has stepped up its already strong advocacy efforts to protect consumers and financial institutions through the holiday season and into the first days of the 114th Congress.
CUNA has created a video to provide a brief overview of retailer data breaches, and has compiled a list of risk management practices in partnership with CUNA Mutual Group. CUNA's Stop the Data Breaches contains the list, as well as other resources for stakeholders to reach out to lawmakers urging a change in merchant security standards.