Merchant data breaches occur far too often and the cost to credit unions to cancel and reissue debit and credit cards continues to rise, CUNA witness Kim Sponem told a House Financial Services subcommittee Wednesday. Sponem, president/CEO of Summit CU, Madison, Wis., testified before the subcommittee on financial institutions and consumer credit on CUNA’s behalf.
“Financial institutions, like Summit Credit Union, foot the bill for the fallout and subsequent fraud that comes from the breach of personal information from merchants and other companies’ failure to adequately protect and secure customer information,” Sponem said. “The current state of the law does not put enough responsibility on those handing this sensitive customer information to properly safeguarding it. Any future legislation must address this lack of responsibility and accountability.”
Sponem described how Summit gets lists of payment cards each year that have been reported as compromised because of a data breach. Staff then dedicates time to review all card numbers, determine if the card should be blocked and reissued and if it should be tagged for additional fraud monitoring.
“In 2017 alone, we reissued thousands of cards and incurred hundreds of thousands of dollars in losses from card fraud resulting from data breaches,” she said. “These losses do not include the cost to reissue debit and credit cards or the number of staff hours spent on dealing with our customers’ issues with respect to these data breaches.”
These costs include replacing cards ($3 to $5 per card on average), fraud monitoring, addressing member inquiries, processing and refunding fraudulent charges and processing compromised card reissuances.
Rep. Andy Barr (R-Ky.) said Sponem’s experiences with data breaches are familiar to him.
“Your testimony resonates with me because so many credit unions and community banks in my district have told me that, of all the regulatory pressures they face, all the compliance costs, this is one of the top priorities in terms of costs,” Barr said, and asked Sponem who is ultimately bearing all these costs.
“Because we’re owned by our members, it's really our members’ money we’re spending to deal with these situations,” she said. “That’s $1 million in 2017 alone that could have gone to other things, things that would benefit our members.”
Sponem said credit unions, other financial institutions and consumers need:
Subcommittee Chair Rep. Blaine Luetkemeyer said the pre-emption of state law is essential to solving the data breach issue, as law varies from state to state and some states do not have specific data breach laws.
“One of the issues that seem key to this situation is the pre-emption of state law,” he said. “It seems we have two choices. One, to pre-empt state laws to protect consumer data. The other is to allow this hodgepodge of laws to continue, and let the consumer beware.”