Data security: A shared responsibility
One billion. That’s the number of personally identifiable information records stolen through data breaches in 2014, according to a report from IBM and the Ponemon Institute. Even those who follow the news may be surprised by that number. The reality is that while a few major breaches have made headlines, most fly under the radar.
There is no reason to believe that we will see any decrease in cyber assaults in the coming years. In fact, we expect them to rise as our lives increasingly move online. The payments industry has been on the front lines protecting against security threats, and has consistently risen to new challenges.
Since 1999, financial institutions including credit unions have adhered to the stringent standards of the Gramm-Leach-Bliley Act that help safeguard consumers’ sensitive personal and financial information.
Most recently, payments card issuers have been protecting consumer data through the use of new EMV chip cards. These cards contain a microchip that generates a unique code for every purchase, making counterfeit card fraud extremely difficult. This means breached data will be far less valuable to criminals. However, sending the cards to consumers is only part of the solution. Businesses must also activate their terminals to accept these new, secure cards.
While EMV will help stop criminals from making fraudulent transactions, they are not a panacea when it comes to data security. More still needs to be done to ensure that consumer data is safe in the hands of retailers. That is why the National Association of Federal Credit Unions (NAFCU) signed a letter on Oct. 15 with several other payments associations in support of the Data Security Act of 2015 (H.R. 2205), introduced by Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.). This act not only establishes uniform national standards for protecting consumer payment and personal information, but also requires all entities to have procedures in place to protect consumer data.
Under current rules, retailers are not subject to the Gramm-Leach-Bliley Act requirement to develop and maintain robust internal protections against network intrusions and data theft. Under H.R. 2205, retailers would be held responsible for implementing security measures to protect consumer data. These systems, which should start with the ability to process new EMV chip cards, should prevent data breaches from happening in the first place. S. 961, is the companion bipartisan bill introduced by Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.), in the Senate.
Microchips will go a long way to safeguarding data, but it would be foolish to think that they will end cybercrime and hack attempts. Symantec’s 2015 Internet Security Threat, more than 317 million new pieces of malware were created in 2014, and breaches were up 23 percent from 2013. Indeed, the major retail data breaches that hacked millions of consumers’ sensitive financial data were caused due to malware.
We need to start to get at the root of the problem and pass laws that would help protect the data that is being hacked at big-box retailers. Until we do, cybercriminals will have free rein to continue their attacks on consumers at every vulnerable point of sale.
Credit unions and the entire financial services industry want to continue innovating with all parties involved – retailers, networks, processors, financial institutions and others – to build a safer, faster payments system and implement merchant standards that will ensure the security of consumers’ payment information.
Creating a solution that protects American consumers not only now but in the future requires everyone to step up to the plate – not just the financial industry, but retailers as well.
Berger is president and CEO of the National Association of Federal Credit Unions.