CUNA, NWCUA Urge Credit Unions to Track Expenses Caused by Target Data Breach

“The Association is working very closely with CUNA to determine the extent of the damages credit unions are experiencing due to this breach.” Jennifer Wagner, NWCUA vice president for legislative advocacy

CUNA and the Northwest Credit Union Association are asking credit unions to keep detailed records of the costs they’re incurring in response to the recent data breach at Target stores nationwide as both organizations continue to demand that merchants be held accountable for more than just the damage to their own reputations.

The Target breach, first reported by security blogger Brian Krebs and later confirmed by Target, affects more than 40 million cards used in the company’s U.S. stores between Nov. 27 and Dec. 15. Target says customer names, card numbers, expiration dates and three-digit security codes all were compromised.

“The Association is working very closely with CUNA to determine the extent of the damages credit unions are experiencing due to this breach,” said Jennifer Wagner, the NWCUA’s vice president for legislative advocacy. “We will work vigorously to pursue legal options open to credit unions, and we will also work with state and federal legislators to improve our opportunities for statutory relief.”

CUNA announced Friday that it would launch a website to collect information about the costs incurred by credit unions in response to the Target breach. CUNA President/CEO Bill Cheney said the website will be operational next week, and Wagner urged Northwest credit unions to report fraud losses and the cost of replacing credit and debit cards to CUNA as soon as the website is up and running.

David Curtis, the NWCUA’s director of compliance services, also urged Northwest credit unions to send any comments or questions to compliance@nwcua.org. A 2010 law passed by the Washington Legislature could open the door for credit unions to collect damages if Target is held liable for the breach, he said, and accurate records would be crucial to the success of any legal action.

Provisions of the Washington law, RCW 19.225.020, allow credit unions to bring reimbursement suits if a data breach results from negligence on the part of the merchant. The statute limits retailers’ liability, Curtis said, “but if it can be proven that the business did not take reasonable care to safeguard the members’ card information, then they can be held liable.”

Northwest credit unions actually led the charge in 2010 to make reimbursement suits possible.

“We were literally the only group in Olympia pushing for this change in the law at first,” said Mark Minickiello, the NWCUA’s vice president for legislative affairs. “It took us three years to get consensus and change the law to allow financial institutions to recover some of the costs incurred in a data breach.  It was a David-versus-Goliath effort.”

Credit unions have long argued that merchants should be held accountable not only for protecting consumer’s financial data but also for the consequences of data breaches when they do occur. More should be at stake than a hit to retailers’ reputations, industry executives say.

“These breaches also have a reputational impact on card issuers, like credit unions,” said Scott Burgess, president and CEO at Rivermark Community Credit Union. “We are the ones that have to deliver the bad news to the impacted members, and they view this inconvenience as something caused by the issuer.”

That was certainly true this week, as Northwest credit unions moved quickly to respond to the Target breach. White River Credit Union quickly alerted members that its VISA processor had placed an automatic block on affected debit and credit cards, for example, but some members first learned of the action when their card was denied at stores and ATMs. Many understood, but others took to Facebook to vent their frustrations.

“I’m grateful you did this,” one member posted, “but I was mortified when my card was declined twice yesterday and I had to figure out alternative payment.”

That’s why “retailers like Target and their processors need to be held more responsible for data breaches,” Burgess said. “And they should be held financially responsible for making card issuers whole.”

On Friday, U.S. Sen. Richard Blumenthal (D-Conn.) said he would urge the Federal Trade Commission to investigate Target’s security practices to see if the retailer failed to adequately and appropriately protect its customers’ data, and he promised to push to give the agency more authority to penalize companies with large data breaches.

Cheney said CUNA would also continue to pursue that option on the national level. “We have initiated discussion with key congressional contacts about our ongoing concerns of the responsibility of merchants to protect data, and be accountable for the consequences of data breaches when they occur,” he said.

In the meantime, CUNA’s Compliance Team addressed the Target breach Friday on its online blog. “It’s not like this hasn’t happened before,” the blog said, “just not right before Christmas and at a very large, nationwide retailer.”

Regardless of the timing or the size of a breach, CUNA said, credit unions always need to quickly determine the likelihood that the information has been or will be misused, and then take the following steps:

  • Assess the nature and scope of the incident, and identify what member information systems and types of member information have been accessed or misused.  CUNA’s note:  The card processors have of course provided this information to credit unions issuing their cards, and they continue their investigations.
  •  Notify the appropriate regulator (the NCUA regional director or applicable state supervisory authority for state charters) as soon as possible after becoming aware of the incident.  CUNA’s note:  While we can safely assume that regulators are well aware of the general situation, each credit union is required to report the impact of the breach on their operations.
  • Notify appropriate law enforcement authorities, and file a timely Suspicious Activity Report (SAR) in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is on-going.  CUNA’s note:  Credit unions will of course also need to report incidents of possible fraud to their insurers and VISA and MasterCard.
  • Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence.   CUNA’s very obvious note:  This will be a major on-going responsibility of credit unions for some time to come and at notable expense.
  • Notify members when warranted.  If the credit union determines that misuse of sensitive member information has occurred or is reasonably possible, it should notify the affected member(s) as soon as possible. If the credit union can determine which members’ information has been improperly accessed, it may limit notification to only those members. However, if the credit union is unable to identify which specific member’s information has been accessed, the credit union should notify all members in the group of files in question. 

Credit unions also can point their members to the Federal Trade Commission website at www.consumer.gov/idtheft, where they can report incidents of identity theft and learn how to protect themselves from future incidents. In addition, consumers can monitor their credit report once every 12 months for free; details are at www.AnnualCreditReport.com.

Questions? Contact Gary Stein: 503.350.2216, gstein@nwcua.org. 

Posted in CUNA.