WASHINGTON (9/5/14)--The implications of a recent data breach at Home Depot--which has the potential to dwarf that of last year's Target Corp. incident--could weigh heavily on credit unions.
Credit unions too often are on the front lines of a merchant data breach, Bill Hampel, interim president/CEO of the Credit Union National Association, emphasizes. "Credit unions know what to do in response to these all-too-regular breaches: We notify members, determine whether to reissue debit and credit cards, increase call center staff to serve members and set up account monitoring to protect our members."
However, these necessary steps to protect credit unions members come at a cost--the Target data breach alone cost credit unions an estimated $30.6 million, not including fraud costs, according to CUNA analysis.
An article this week in The Wall Street Journal's "CIO Journal" noted that financial institutions and the finance industry spend as much as $2,500 per employee on cybersecurity, while retail and consumer products companies dedicate about $400 per employee.
Also, the financial services industry spends about 5.5% of information technology budgets on cybersecurity compared with 4% by retailers, said Lawrence Pingree, research director at Gartner Inc., in the "CIO Journal" article.
Inconsistent data security standards put consumers at risk. While credit unions and other financial institutions are subject to high data-protection standards under the Gramm-Leach-Bliley Act, merchants are not held to the same standards. "Under today's federal law, there is no merchant accountability," Hampel said, adding, "That has to change."
"Until and unless merchants are held accountable for the damages that breaches to their systems cause financial institutions and consumers, credit unions have little confidence that they will be incentivized to properly secure their systems," he said.
Technologies such as chip-and-PIN cards and tokenization are emerging to secure the payments system. In fact, CUNA participates in the Payments Security Task Force, which is engaged in promoting adoption of the Europay-MasterCard-Visa (EMV) standard, encryption technology and tokenization to shore up financial data security.
"However, " Hampel stressed, "Congress must play its role in addressing the issue of merchant data breaches by making sure all of the participants are playing by the same set of data security rules, and that merchants who hold consumer data and allow that data to be breached, are responsible for the costs incurred by others."
Information security expert Brian Krebs reported on the Home Depot breach Tuesday and expanded on its enormity Thursday.
Home Depot has about 2,000 locations in the United States, and the breach likely started in late April or early May. Krebs noted that the Target breach impacted just shy of 1,800 stores, lasted for approximately three weeks, and resulted in the theft of roughly 40 million debit and credit card numbers. (See related story: Target wants FI claims removed from class action.)
"If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target," he wrote on his blog KrebsOnSecurity.com.