It has been nearly three months since the Target data breach, and see what progress we have made:
• Numerous congressional hearings were held on data security.
• A chorus of calls for shared responsibility arose regarding data security and national data security standards.
• Most experts agreed that the recent breaches all involved intrusions into the computer networks of various companies. These compromises have nothing to do with card technology (e.g., "chip-and-PIN") and everything to do with holes in internal firewalls at the retail companies that criminals are exploiting.
• U.S. Attorney General Eric Holder called for a strong national standard to quickly alert consumers when their information is compromised in a data breach.
Still, retailers continue to attempt to push chip-and-PIN technology as the centerpiece of much-needed data security reforms while continuing to resist any responsibility for breach costs or federal supervision. The retailers' zealous insistence on this aspect of security does nothing to afford consumers greater protection; their goal, instead, is to shield themselves from any additional oversight or cost. In fact, many credit unions are already moving towards adopting EMV and chip-and-PIN technology, but if that switch were completed tomorrow, the merchants would not be equipped to handle it. Chip-and-panacea? That is pie-in-the-sky talk from retailers, which want the rest of us to ignore reality.
In fact, in a recent interview the director of the Verizon Research, Investigations, Solutions, and Knowledge (RISK) Team Bryan Sartin stated, "With respect to brick-and-mortar retailers, 86% of the points of intrusion are through desktop sharing technologies. If simple two-factor authentication was used across the board on those technologies, 86% of those breaches wouldn't happen. It's security common sense."
NAFCU has redoubled our efforts and strengthened our resolve to keep the attention on national standards by joining forces with other financial institution trades and writing to Congress on several occasions. The inequity of the current data security standards is not just unreasonable; it is downright dangerous for our entire economy. No amount of diligence on the part of financial institutions will help prevent future data breaches if retailers are not held accountable through national data security standards like the ones applied to financial institutions under Gramm-Leach-Bliley.
Specifically, we continue to urge Congress to address the following issues related to data security:
• Require merchants to pay for the costs of breaches on their end, particularly when negligence is in play.
• Require any business entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.
• Require merchants to post their data security policies at the point of sale if they take sensitive financial data.
• Require the timely disclosure of the identities of breached companies and merchants.
• Enforce data retention prohibitions in existing agreements and establish statutory standards prohibiting the retention of payment card information by retailers.
• Require merchants to notify the account servicer or owner, including a financial institution, of any compromised personally identifiable information associated with the account.
• Require any breached merchant or retailer to demonstrate all necessary precautions have been taken to guard data.
Data breaches are having a staggering impact on credit unions. The estimated costs of the Target breach alone on credit unions is close to $30 million.
We cannot stand by while cyber thieves continue to wreak havoc on our economy. It behooves the retailers to share the responsibility and the tab with financial institutions to strengthen the systems that protect consumers' sensitive financial and personal data and our economy.
To be clear, this is about security. Our economy and consumers are not safe if only financial institutions are accountable. The companies that store consumer data need to secure their house.