Oregon House Considers Data Breach Legislation

The House Business and Labor Committee heard testimony March 27 on HB2581, a bill that will require merchants to notify financial institutions and the merchant services provider (i.e. card processor) that processed the transaction on behalf of the merchant. This will enable both the financial institution and the processor to quickly take appropriate steps to protect against fraud or identity theft.

Credit union CEOs Rob Stuart (center) and Rick Hein (right) testified before a House Committee considering data breach legislation. Attorney Hal Scoggins (left) assisted the credit union delegation.

Addressing the significant and growing problems caused by data security breaches is a policy advancement agenda priority for the Northwest Credit Union Association (NWCUA). The Association supports state and federal legislation to protect the confidentially of financial and personal information of credit unions and their members.

Financial institutions and card processors often don’t learn of data breaches right away. More immediate notice from the merchant would allow financial institutions to react more quickly to prevent losses, and that is the purpose of the current bill according to Pamela Leavitt, the NWCUA’s Policy Advisor for Oregon State Advocacy and Grassroots.

Leavitt appeared at the hearing with two credit union CEO’s who offered tangible examples of the harmful impact that the lag in merchant notification of data breaches, has on financial institutions.

Rick Hein, CEO of Corvallis-based Oregon State Credit Union, pointed out data breaches have impacted most consumers.

“Who among us has not had to have their compromised debit or credit cards replaced once or twice?” Hein asked committee members. “For some of us the number is even larger. We continue to see headlines almost monthly regarding data breaches such as the recent incident at “large restaurant” chain which is now in litigation where their defense alleges that the restaurant chain has no duty to safeguard sensitive customer information or to provide adequate notification of a data breach because there are no regulations or legislation requiring it do so.”

Rob Stuart, President and CEO of Portland-based OnPoint Community Credit Union, testified that a single data breach at a national restaurant chain last year impacted nearly 58,000 OnPoint members.

“Each time an identifiable card breach occurs, OnPoint cancels and reissues thousands of plastic cards to our members,” said Stuart.  “OnPoint takes its responsibility to protect member information extremely seriously, to protect our members and to comply with state and federal regulations. As payment systems of choice, debit and credit cards are used by our members every day to help meet their financial needs and goals. Given our sole purpose of serving our membership, OnPoint strives to provide them with the tools they need to be successful, including debit and credit cards,” he added.

Leavitt says if the bill is amended, it will not alleviate the substantial losses that a credit union suffers when its cardholders are subject to merchant data breaches. However, it should make merchants more aware of the costs and inconvenience of such breaches and may in turn create an impetus for improved security measures.

The legislation will also provide financial institutions with better notice of breaches – avoiding the delay and sometimes complete omission of notice provided through the card networks. This may permit institutions to act more quickly to prevent fraud losses from occurring, Leavitt said.

Editor’s note: Through Anthem and through direct communications to Oregon advocates, the NWCUA will keep members updated on the progress of this bill.



Posted in Advocacy News.