01/17/2014 03:52 pm ET Updated Mar 19, 2014

Hold Merchants Accountable for Personal Data

The most recent data breaches by the big box retailers Target and Neiman Marcus are not nearly the first data breach of this kind. And the way things seem to be going, they are not likely to be the last. In fact, in my time as CEO of a large credit union in California, and as president and CEO of the Credit Union National Association (CUNA), I have seen how frequently personal data can be compromised by a merchant. Much attention has been paid to the Target breach because of its size and scope, but these occurrences happen more frequently than we would like to admit, and even at smaller vendors.

As a result, millions of consumers, many of them assuredly credit union members, have been placed at risk of being victimized by thieves who could access their accounts or commit other forms of identity theft.

It's time for Congress to act to stop the cycle.

In the weeks following the Target breach, the first priority for credit unions has been to ensure that their members are protected from fraudulent transactions now and in the future. Unfortunately, due to the frequency of merchant data breaches, credit unions are all too aware of the steps they must take when they occur. The steps credit unions have been taking include notifying members who have been affected, helping them to monitor their accounts and urging them to review their account statements, reversing fraudulent transactions and reissuing their cards, when appropriate.

I know firsthand that credit unions are working with their members affected by this breach, and reissuing cards to them at no cost. Again, that's the right way to do business.

But, contrary to what some might think, the expense for taking this action is not and will not be reimbursed by Target. Rather, credit unions and banks rely on interchange revenue to cover the cost of card program administration, including in these circumstances, reacting to a merchant data breach.

By contrast, Target's response to the breach has been in line with some other merchants' responses to breaches: The cost of picking up the pieces is not on us. The fact is, they are rarely held responsible for reimbursing financial institutions for the cost that the data breach has incurred on them and, in the case of credit unions, their members.

And, although Target has admitted that the breach occurred at one of its stores, conspicuously missing from their statement is any commitment to avoid leaving card issuers holding the bag for what went wrong in their own systems. Their admission should mean that the retailer, not credit unions and other financial institutions, should pay for the costs associated with making consumers whole, including reissuing payment cards.

The cost of a merchant data breach -- whether it is at a large national merchant or a local merchant -- can be significant for credit unions of all sizes. Because of credit unions' cooperative structure, the cost of such breaches are ultimately borne by credit union members. CUNA is currently surveying credit unions to obtain more information on the costs that they have incurred as a result of this breach, and we hope to be able to provide very soon an assessment of the impact the Target breach has had on credit unions and their members.

Credit unions provide exceptional service to their members in responding to these events. But our members wonder why their credit unions must bear the cost of the merchants' negligence, and why Congress has not done more to make merchants responsible for breaches of their data systems. We believe merchants that accept debit and credit cards should be subject to the same high data security standards as credit unions. Further, credit unions should have the ability in all instances to tell their members the name of the merchant where their accounts were compromised. And, merchants that have data breaches should by law be financially liable for the impact of the breach on affected consumers, as well as their financial institutions.

When all is said and done, credit unions and banks will have spent millions on what appears to be a major security failure caused by Target and other retailers' inability to protect consumer data.

As this event fades from the headlines and life returns to normal for consumers, credit unions and Target, we strongly encourage Congress to fully examine the chronic issue of merchant data breaches, the impact of these breaches on consumers and on financial institutions.

Failure to hold merchants fully accountable for data breaches when they occur ultimately harms consumers, undermines their confidence in our payments system, and adds to their growing frustrations that government is not protecting their interests.