On September 3, 2014, following the news of a possible breach at Home Depot (which was confirmed on September 8), the National Association of Federal Credit Unions (NAFCU) called on Congress to enact new legislation to hold retailers more responsible for data security breaches. “These continued data breaches will have a chilling effect on our consumer confidence and our economy at large unless Congress holds retailers to the same strict standards of data security and breach notifications that financial institutions must adhere to,” NAFCU President and CEO Dan Berger said in the statement. Financial institutions—including credit unions—are subject to data security standards imposed by the Gramm-Leach-Bliley Act, which does not apply to retailers.
Citing losses estimated at $30 million due to last year’s Target breach, the NAFCU’s August 21, 2014 letter asked Congress to impose the following requirements on retailers as part of new data security legislation:
- that retailers be held accountable for the costs of data breaches that result on their end;
- that retailers be subject to the data security standards imposed on financial institutions under the Gramm-Leach-Bliley Act;
- that retailers that have suffered a data breach make timely disclosures to alert consumers; and
- that retailers bear the evidentiary burden of proving lack of fault after a data breach.
The National Association of Convenience Stores (NACS) responded to this letter, urging Congress to first “recognize that businesses whose data is breached are victim of crime.” NACS claimed that NAFCU’s position was flawed for several reasons. First, it argued that retailers already pay the cost of fraud and the cost of reissuing cards through swipe fees and reimbursement payments. Thus, to require them to pay for replacement cards would be to require them to pay three times. Moreover, it maintained that retailers should not have to disclose when they are breached if financial institutions—which, according to a Verizon data breach report, are victims of nearly 150% more breaches than retailers are—bear no such requirement.
NACS further noted that debit and credit cards issued by financial institutions are fraud-prone, where a criminal need only obtain the information on the front of the card to perpetrate a fraud. Instead, NACS believes that banks and credit unions should require consumers to use PIN numbers when making purchases, preventing criminals from buying anything with an account number alone.