FOR IMMEDIATE RELEASE  

CONTACT: Lauren Williams – CUNA Communications; (202) 626-7642; lwilliams@cuna.coop                                                                                             

Washington, DC (February 14, 2018) – Credit Union National Association witness Kim Sponem, President/CEO of Summit Credit Union in Madison, Wis., delivered the following oral testimony at today’s hearing in the House Financial Services Subcommittee on Financial Institutions and Consumer Credit, titled “Examining the Current Data Security and Breach Notification Regulatory Regime.” 

Chairman Luetkemeyer, Ranking Member Clay, Members of the Subcommittee –    

Thank you for the opportunity to testify on this extremely important topic.  My name is Kim Sponem and I am the Chief Executive Officer and President of Summit Credit Union, testifying on behalf of the Credit Union National Association. 

Summit Credit Union, headquartered in Madison, Wisconsin, is a state chartered credit union founded in 1935.  We have $3 billion dollars in assets and serve 175,000 consumers, which is quite small compared to regional or national banks.  Like all credit unions, we are a not-for-profit institution owned by the very members we serve. 

Summit Credit Union offers a full array of financial services to meet the needs of our members, including debit and credit cards. Unfortunately, data breaches occur far too often.  Consumers and financial institutions are harmed by data breaches when entities and organizations, including merchants, fail to take necessary steps to protect consumer data. Community financial institutions foot the bill when companies fail to secure customer information – when many do not need to store it in the first place.  Breaches cost Summit Credit Union over one-million dollars in 2017 alone.  More importantly, the negative impact on consumers is significant and sometimes devastating.  

Imagine you are making a purchase and your card is declined. You don’t know why. There is a line behind you. You are embarrassed and concerned. You figure out a different way to pay or walk away angry. You call your financial institution. There are fraudulent charges on your card. You now know the purchase was declined because of fraud and you have the stress of wondering just what information a fraudster has on you.  

Or you are using your debit card in another country to get currency. It is shut down. Now what do you do? You are worried someone is depleting your checking account. How long will it take to get resolved? How will you get money in another country? Panic sets in.  

Even worse. Someone stole your identity and took out a loan in your name. Now your credit is compromised. How do you get it back? It can take years and tens of thousands of dollars to rectify.   

Meanwhile, my credit union is working hard to get you replacements at $3-5 per card, overnighting them when needed at our expense. We work with you to address fraudulent charges that we pay for. We look to increase our fraud monitoring systems that are expensive and labor intensive. And, most of all, we spend the much needed time with members to help them navigate the financial system.   

Once you have your new cards, then remembering to update your automatic payments is the next step. If you forget, you are now delinquent with that company.  

 All fraud and fraud mediation is paid for by financial institutions. There is no incentive for companies that hold personal information to protect it – and that is just plain wrong!  

Under current law, credit unions and banks are subject to data security requirements, necessitating the development of procedures and systems to protect consumer information from theft, including notifying consumers in the event of a data breach.  However, other entities that hold personal information are subject to no such standards.  Any company that holds consumers’ personal information necessarily or unnecessarily should be held to a national standard. 

Americans deserve a strong national data security standard that requires all businesses to protect and safeguard personal information.  Companies that do not need to store personal information should either not store it or be subject to the standard.  Companies should not be allowed to put consumers at undue risk.  And, communicating a data breach in a timely manner allows consumers and financial institutions the ability to try to reduce possible losses with early detection and awareness.   

The current system is not fair or sustainable.  Consumers are protected from loss because financial institutions bear the responsibility for reimbursing them.  Those that are negligent should bear the cost! 

Protecting data is expensive and labor intensive. But a company that stores information needs to invest in these protections for consumers as a cost of doing business, or not store the information at all.  

In summary, it is our hope that this committee makes data security one of its top priorities for 2018. We ask that any legislation proposed include these three priorities: 

• One - A standard for all companies holding personal information; 

• Two – A requirement to communicate breaches in a timely manner; AND 

• Three – A responsibility for negligent companies to bear the cost.

We will work with you to protect consumer data and increase accountability.  Companies may not want to invest in protecting data, but it is a matter of responsibility and duty that goes with holding that information.          

On behalf of Summit Credit Union and the Credit Union National Association, I'd like to thank the subcommittee for the opportunity to share my views and would be happy to answer any questions.  

Thank you. 

###