Every time there is a retailer data-security breach, credit unions step forward to make their members whole. A NAFCU survey found that its member credit unions paid an average of $226,000 each in costs associated with retailer data breaches in 2014. Meanwhile, large companies like Target might lose less than one-tenth of one percent of their annual sales due to a data-security breach; and if they want to recoup expenses, they can always raise prices. Credit unions, as not-for-profit, member-owned institutions, have no such remedy.
It's time to get a national data-security standard in place for retailers. And to do that, we need everyone in the industry – trades, credit unions and the more than 107 million credit union members nationwide – to raise their voices and make Congress take action.
From hotel chains to restaurants to the recent breaches of electronic signature company DocuSign — which has more than 100 million customers around the world — and Kmart, the barrage of bad news about data security breaches and point-of-system malware infections seems never-ending. Ransomware is also growing as a threat that can put consumers’ data at risk without warning. It is clear that cybercriminals aren’t slowing down in the least.
Recent data shows that 65 percent of all targeted data-security attacks hit small- and medium-sized companies last year. Consumers shopping at retailers of all sizes are at risk.
And I know this: These dangerous breaches will continue to put consumers at risk until Congress acts to make sure all participants in the payments chain do their fair share to protect data.
Credit unions have been steadfast in protecting their members' information, but credit unions cannot control the subpar security of the retailers their members use. After each breach, retailers pass the costs off to consumers and their financial institutions. Credit unions make their members whole every time – and the industry understands the importance of keeping members' trust by being there for them at every turn. Other industries have not proven themselves to be so steadfast.
Credit unions across the country are joining NAFCU to call on lawmakers to hold retailers to the same strict data-security standards credit unions already follow under the 1999 Gramm-Leach Bliley Act. The GLBA has provided a flexible, scalable guideline that has helped credit unions keep their members' data safe for years. Outside of that standard for financial institutions, however, there is no clarity, and there are no requirements for companies to follow – putting consumers across the country at constant risk.
This is a top priority for our association because we recognize the seriousness of how this is impacting credit unions and their members. We are ramping up our efforts in the face of this growing threat – and we are calling on Congress to respond with the same level of urgency.
As NAFCU testified before the House Small Business Committee this March, the best way to address data breaches is to create a comprehensive regulatory strategy for industries that are not already subject to oversight. As credit unions know all too well, merchants and retailers are often the weakest link in the payments chain, and hackers and other cyberthieves know this.
Securing consumers' personal information and financial accounts will require the entire payments ecosystem to take an active role in addressing threats – current and future. It will also require all industries to be proactive in protecting consumers' personally identifiable and financial information from the outset.
Credit unions' adherence to the GLBA and its implementing rules has successfully limited data breaches within our industry.
Retailers need to do their part.
In order to serve their 107 million members, credit unions must have a positive regulatory environment that helps them succeed. Credits unions can't be expected to both protect their members' data and be on the hook when other institutions fail to do the same.
Credit unions and their members are a vital part of this nation's economy, and lawmakers would do well to listen to their voices – constituent voices. NAFCU members are speaking out about the importance of data security in this new age. We must push Congress to listen carefully.
NAFCU is proud to have a 50-year history of standing up for credit unions and spreading the industry's message so that as many people as possible can hear about the unique value credit unions provide to consumers. Times have changed, but the amazing service credit unions provide their members with has stayed the same. NAFCU's advocacy on their behalf will stay the same as well. We plan to continue pushing for a strong data-security standard that protects consumers and allows credit unions to focus on serving their members – what they do best.