CUNA in trenches for CUs on data security

September 25, 2014

WASHINGTON (9/26/14)--For some, the major Home Depot breach and the more recent hit on Jimmy John's sandwich shops serve as reminders of how devastating cyberattacks can be for both consumers and financial institutions.

The Credit Union National Association hasn't needed such reminders.

In the aftermath of the Target data breach, and even before it, CUNA has pressed federal and state lawmakers to enact legislation that would require merchants to bolster their cybersecurity systems.

With every passing week--whether it be Target, Home Depot, P.F. Chang's, Michaels, Nieman Marcus and so on--it seems one more example surfaces on why such action is necessary.

"Since January, CUNA and the leagues have been voicing the frustration of credit unions and raising awareness of what these breaches cost credit unions and--ultimately--their members every time a breach occurs," said Jim Nussle, CUNA president and CEO. "The latest violations at Home Depot and Jimmy John's add weight to our contention that Congress must mandate consistent data standards for merchants. When Congress returns in November, it will hear our voice loud and clear for action."

That voice should be familiar to legislators.  

When news broke last year that Target had been hacked, exposing millions of pieces of consumer data, CUNA leaders canvassed Capitol Hill to urge lawmakers to take up the issue and force merchants to meet data security requirements equitable to those imposed upon financial institutions.

Days after the breach, CUNA specifically reached out to House Financial Services and Senate Banking committee leaders to encourage them to fully examine merchant data breaches and their impact on consumers and financial institutions (News Now Jan. 16).

But that wasn't the first time the trade association had been in the ears of lawmakers on this issue.

"For several years, CUNA has been pushing for congressional action on legislation to require merchants to reimburse financial institutions for costs incurred when breaches occur in retailers' systems," Kathy Thompson, CUNA senior vice president for compliance, said at the time (News Now Jan. 7).

Still, in the months following the Target breach, CUNA redoubled its efforts in Washington and throughout the country to raise awareness about the inequity between the separate standards for financial institutions and merchants.

"This continues to be a top issue at CUNA," said Eric Richard, CUNA general counsel (News Now Feb. 14). "As our member credit unions know, CUNA and the leagues are pursuing every avenue to urge that merchants are held responsible for reimbursing financial institutions when merchants' security lapses cause situations such as this. In fact, CUNA was among the first to knock on Congress' door to demand hearings on this issue and on creating a better data security framework."

CUNA leaders also have sought to include merchants in these discussions.

In March, CUNA called on merchant groups to start working together with financial institutions to implement the best possible solutions to protect consumers from fraud and identity theft, even if the solutions proved costly.

But that cost is already being felt by credit unions and, consequently, their members.

After the Target breach, CUNA sent out a request nationwide to credit unions to report how the major beach had affected them financially.

All told, credit unions were on the hook for $30.6 million, according to CUNA's estimates, and credit unions reissued roughly 4.6 million credit and debit cards in the aftermath.

CUNA is once again urging credit unions to track the costs incurred as a result of the Home Depot incident. The trade association will soon circulate a survey to collect the following information:

  • Number of debit and credit cards affected;
  • Costs incurred for card reissuance;
  • Costs related to additional staffing, member notification, account monitoring, etc.;
  • Changes in call volume;
  • Changes in staffing; and
  • Any specifically identifiable fraud-related losses.

While those numbers are collected, CUNA continues work with groups such as the Payments Security Task Force (PST), the Payments Council and the Electronic Payments Coalition (EPC) to address data breach issues. The PST is comprised of groups that meet weekly to discuss new security measures and the process of integration; and to create resources for merchants, consumers and financial institutions.

The Payments Council is made up of several financial services trade organizations, including CUNA, and has held a number of meetings over the past few months to discuss the future of payments and cybersecurity efforts.

The EPC, a group of networks, financial services trade associations and issuers, works on communications messaging and public affairs advocacy, especially to inform the media and the Hill about key developments in data breaches and other issues.

Further, CUNA has consulted with prominent class-action attorneys from several law firms on data breach issues, while also helping credit unions reach various class-action firms that invest in this type of litigation.

The Target breach resulted in more than 30 cases directly related to financial institutions, with at least 10 credit unions serving as named plaintiffs (News Now Sept. 10).

Stickley on Security, online member education videos

Anytime Adviser ID Theft coach

Awareness Technolgies/CUNA Strategic Services

Ongoing Operations/CUNA Strategic Services

Trace Security/CUNA Strategic Services

D+H Compushare/CUNA Strategic Services

SilverSky/CUNA Strategic Services