NWCUA will Use Data Breach Survey Results to Fight for Tougher State, Federal Laws

Credit unions and their members should have clear legal avenues to recoup costs associated with the mishandling of credit and debit card information by retailers.

That’s the message that the Northwest Credit Union Association will deliver to Congress later this month during the 2014 Governmental Affairs Conference in Washington, D.C., and to state legislators in the Pacific Northwest in the wake of nationwide data breaches at Target, Neiman Marcus and other retailers and the theft of financial information from URM Stores Inc. in Oregon, Washington, Idaho and Montana.

To strengthen its argument, the NWCUA is urging member credit unions to participate in an online survey being conducted by the Credit Union National Association in the wake of the massive data breach at Target. That theft of payment-card and personal information affected more than 110 million customers who shopped at the retailer’s U.S. locations during the holidays, making it one of the biggest thefts of its kind in U.S. history.

In addition, the NWCUA is conducting its own survey on the impact of the URM Stores breach, which impacted shoppers at Rosauers and Yoke’s Fresh Markets over a three-week period in November 2013. That heist resulted in a rash of fraudulent purchases involving signature transactions with debit cards that contained original card numbers and cardholders’ names.

“Our credit unions worked quickly to prevent fraud against their members by blocking affected cards and reissuing new cards,” says Troy Stang, the Northwest Credit Union Association’s president and CEO. “But these security measures come at a cost to cooperative financial institutions, and ultimately to their members. It’s ironic that none of these costs are currently recoverable from those retailers who are ultimately responsible for their systems being breached.”

Preliminary results of the CUNA survey show that Northwest credit unions have already spent an estimated $1.3 million responding to the Target heist. The survey put the cost to credit unions across the country at somewhere between $25 million and $30 million to date, but said that those costs could grow substantially if fraud losses mount.

In a letter to the U.S. Senate last week, CUNA and its cosigners — including the American Bankers Association and the Independent Community Bankers of America — said that the Target data breach has affected 10 percent of the credit and debit card customers of every credit union and bank in the country. The letter was submitted for the record at a hearing conducted by the Senate Banking subcommittee on national security and international trade and finance.

“The financial services industry stands ready to assist policymakers in ensuring that robust security requirements apply to all participants in the payments system,” the letter said. “Our payments system is made up of a wide variety of players: financial institutions, card networks, retailers, processors, and new entrants. Protecting this eco-system is a shared responsibility of all parties involved and all must invest the necessary resources to combat increasingly sophisticated breach threats to the payments system.”

All participants in the payments system should be responsible and be held to comparable levels of data security requirements, senators were told. Those responsible for data breaches should be responsible for the costs of helping consumers, and consumers should be told where and how their information was compromised, the CUNA letter said.

In addition to the subcommittee hearing, the Senate Judiciary Committee, Senate Banking Committee and the House Energy and Commerce subcommittee on manufacturing and trade all scheduled sessions on data security last week. The topic will also be on the agenda Feb. 26, when Northwest credit union advocates “hike the Hill” and meet with lawmakers at the 2014 Governmental Affairs Conference.

“Our message will be straightforward,” says Jennifer Wagner, the NWCUA’s senior vice president for advocacy. “Credit unions and their members should have clear legal avenues to recoup costs associated with credit and debit card information that has been mishandled by retailers.”

In the Northwest, the financial impact of the URM Stores heist has yet to be determined. The breach primarily affected credit unions in Idaho and the Spokane area, and most opted to take a proactive approach. Olympia-based WSECU reissued several thousand debit and credit cards for its Spokane-area members, for example, and others — including Northland Credit Union, Sears Spokane Employees’ Federal Credit Union, Monad Federal Credit Union and Spokane Media Federal Credit Union — took similar action.

Wagner says the URM Stores breach may create an opportunity for affected credit unions to test a Washington state law, RCW 19.225.020, which allows credit unions to bring reimbursement lawsuits if a data breach results from negligence on the part of a merchant.

NWCUA led the charge in 2010 to make the reimbursement lawsuits possible. The statute currently limits retailers’ liability, but Wagner says that the information collected in the Association’s online survey will be used to strengthen the case for legislative action to toughen the law.

Credit unions impacted by the URM Stores breach will find the online survey here. CUNA’s survey on the impact of the Target breach is available here.

“The Northwest is viewed nationally as a leader on credit union issues,” Wagner says. “Let’s once again demonstrate our commitment to improving the charter on the federal and state level with an overwhelming response to these surveys.”

In related news:

  • A western Pennsylvania credit union is suing Target for the cost of reissuing debit cards to its members. The federal lawsuit by First Choice Federal Credit Union seeks class-action status; it claims that Target should have known that its payment processes were vulnerable to attack, that it failed to take adequate measures to protect sensitive data, and that it waited for several weeks after learning of the breach to notify consumers.
  • Security blogger Brian Krebs, who was the first to report on the Target breach, now says the initial intrusion into Target’s systems has been traced back to network credentials that were stolen from a refrigeration, heating and air conditioning subcontractor. Current payment card industry (PCI) security standards do not require organizations to maintain separate networks for payment and non-payment operations, Krebs reports, but they do require merchants to incorporate two-factor authentication for remote network access by all third parties.

    Fraud analyst Avivah Litan tells Krebs that Target could be facing losses of up to $420 million as a result of the breach, including reimbursement associated with banks recovering the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance; and direct Target customer service costs, including legal fees and credit monitoring for tens of millions of customers impacted by the breach. More details are on the blog.


Questions? Contact Gary Stein: 503.350.2216, gstein@nwcua.org.

Posted in Advocacy News, Federal.