League presidents raise voices for data breach protection

October 16, 2014

MADISON, Wis. (10/17/14)--Credit union leaders continue to shape the narrative surrounding the data breach issue through both media and political channels. That narrative has begun to include work between credit union and bank organizations to coordinate joint messages about concerns regarding inconsistent data security standards for merchants.

Supporting the Credit Union National Association's efforts on Capitol Hill, the Ohio Credit Union League is joining forces with the Ohio Bankers League (OBL) to press Ohio's congressional delegation to hold merchants accountable for customer data protection lapses (eLumination Oct. 16).

A joint letter from Ohio league President/CEO Paul Mercer and OBL President Mike Adelman will be sent next week to House Financial Services Committee members Rep. Joyce Beatty (D-Columbus) and Rep. Steve Stivers (R-Ohio), and Senate Banking Committee member Sherrod Brown (D-Ohio).

The letter will ask for immediate steps to create equal data protection standards for all involved in the payments process, accountability for merchants that fail to protect customer data, and recovery of financial loss among institutions impacted by merchant negligence. The letter will be copied to all of Ohio's members of Congress.

The New Jersey Credit Union League (NJCUL) has also taken the lead and reached out to the New Jersey Bankers Association to support data-security bills pending committee action in the state Assembly and Senate, Greg Michlig, NJCUL president/CEO, told News Now Thursday.

"We are hopeful they will join the fight," Michlig said.

The legislation, spearheaded by Assembly Speaker Vincent Prieto (D-Seacaucus), would prohibit the retention of magnetic-strip data and require that the entity responsible for a breach reimburse card issuers for any expenses resulting from the beach such as reissuing cards or fraud-loss costs.

On a national level, in addition to participating in CUNA's nationwide call-to-action, the New Jersey league is reaching out to its delegation, with a particular focus on Senate Banking Committee member Robert Menendez (D-N.J.) and House Financial Services member Rep. Scott Garrett (R-N.J.).

"We've also briefed the major candidates in the three open-seat House races to ensure they know our position well in advance of their possible election," Michlig told News Now.

Credit unions also continue to press their case through the opinion pages of local publications.

The Columbus Dispatch published a letter to the editor on the data breach issue from Ohio's Mercer in its Oct. 10 issue. "Why are so many breaches happening?" Mercer wrote. "One reason is that data-security standards are inconsistent across the country. Financial institutions, including credit unions, are subject to high data-protection standards by law, while merchants are not subject to any federal standards."

In a letter to the editor that appeared in the Oct. 8 edition of the Litchfield County Times, Jill Nowacki, president/CEO of the Credit Union League of Connecticut, wrote that until merchants are held accountable for the damages that breaches cause, credit unions will have little confidence that they will properly secure their systems.

"Congress has a role to play in addressing the issue of merchant data breaches by making sure all of the participants are playing by the same set of data security rules," Nowacki wrote. "Merchants who hold consumer data and allow that data to be breached, need to be responsible for the costs incurred by others."

Most important to the debate is the impact on consumers--the member-owners of credit unions, wrote Michael Duffy, president/CEO of Financial Center CU, Stockton, Calif., with $380 million in assets.

"Every time one of these breaches occurs, the consumer loses faith in the system," Duffy wrote in the Oct. 14 issue of the The Record. "While credit unions, like mine, work continuously to secure the data of our members, merchants are not required by the same laws to encrypt consumers' information."

Credit unions, along with other financial institutions, have been subject to stringent standards on data security since the enactment of the Gramm-Leach-Bliley Act in 1999, wrote John Bratsakis, president/CEO of the Maryland-D.C. Credit Union Association, in a guest opinion that appeared in the Oct. 9 edition of the Baltimore Business Journal.

"However, the retailers serving hundreds of millions of consumers daily are not held to these same high standards," Bratsakis added. "Unfortunately, as a result of lax, ineffective data management and storage procedures, these retailers are often victims of data breaches with the ultimate victims being their customers."

When consumers are victimized, credit unions have stepped up to help them, Mark Cummins, president/CEO of the Minnesota Credit Union Network, wrote in an Oct. 5 Duluth News Tribune column.

"We know what to do because we've had to do it all too often," Cummins wrote. "To name just a few of these steps, we notify our members, make a determination about reissuing debit and credit cards, increase call center staff and set up account monitoring. These actions are not without cost, and the impact of a single merchant data breach, let alone several over the course of just months or even weeks, means these costs add up quickly. For not-for-profit credit unions operating on already thin margins, these costs make a significant difference in the bottom line."

Stickley on Security, online member education videos

ID Theft: How to Prevent It and How to Get Over It statement stuffer (customized)