The recent confirmation of a second data breach at Sally Beauty Holdings Inc., based in Texas, crystallized the continuing challenge consumers and financial institutions have regarding retail data breaches. As Congress examines cyber security and data security issues, I hope lawmakers will keep in mind that as long as retailers lack national data security standards, consumers’ sensitive financial information will be ripe for cyberattacks. As those attacks continue, financial institutions will continue to be left picking up the tab.
Credit unions and other financial institutions already protect consumers’ personal data under the provisions of the 1999 Gramm-Leach-Bliley Act (GLBA). Unfortunately, there is no comprehensive regulatory structure similar to GLBA for other entities, such as retailers, that handle sensitive personal and financial data.
{mosads}At Government Employees Federal Credit Union in Texas, a not-for-profit, member-owned financial cooperative, we have had to absorb huge losses from data breaches at big retailers like Target and many others to make our members whole. So far in 2015, we have incurred $22,080 in fraud costs that include reissuing cards, notifying members and covering the fraud that has occurred on our member accounts. That figure is nearly as high as our total fraud cost for 2014. At this rate, our total fraud costs for 2015 could be as high as $61,000 or $6.61 per member.
While that number may not seem like much in Washington, these costs are significant for our small credit union and its 10,018 members. Our credit union is just one of the thousands of credit unions that are experiencing outrageous data breach costs from the continued lack of national data breach standards for retailers. A February 2015 survey of the National Association of Federal Credit Unions’ (NAFCU) members found that the average credit union respondent spent $136,000 on data security measures in 2014 and that the estimated costs associated with merchant data breaches in 2014 were $226,000, on average, per credit union.
By contrast, a 2015 Columbia University review of merchants’ financial statements such as Target and Home Depot reveals that retailers barely notice a financial hit from massive data breaches, and breach costs were less than one-tenth of 1 percent of these giant retailers’ 2014 annual sales.
Voluntary standards have proven to be poor protection for consumers as the retailers get paid for the products and services without having to protect their data systems at considerable cost. The recent findings of the Verizon 2015 Payment Card Industry Compliance Report found that 80 percent of global retailers fail to meet widely accepted Payment Card Industry (PCI) data security standards.
I hope Congress will finally act to hold retailers accountable for data breaches on their end. The recent introduction by Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) of the bipartisan S. 961, the “Data Security Act of 2015,” and the companion House bill introduced by Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.) H.R. 2205, is the ideal bill currently before Congress in that it would both set national data security standards for retailers akin to GLBA while acknowledging financial institutions’ existing adherence to GLBA standards.
The current situation continues to compromise the safety of consumers’ sensitive financial and personal information, and it jeopardizes the safety of our economy. Congress must put an end to the free ride retailers have been enjoying and pass national data security standards for them.
Crisp is president and CEO of Government Employees Federal Credit Union, a full-service financial institution with $132 million in assets that serves 10,018 members based in Austin, Texas.