WASHINGTON — NAFCU President and CEO Dan Berger told a congressional panel Wednesday that cybercrime has reached a level of "epic proportions" that must be dealt with by lawmakers.
Berger testified before the House Small Business Committee on cyber and data security, and emphasizing the crucial role that data security throughout the payments chain plays in the credit union movement. In prepared remarks, Berger noted that according to Symantec's 2015 Internet Security Threat Report, data breaches rose by 23% in 2014, and more than 317 million new pieces of malware were created.
"While large companies across all sectors are still a prime target, 60 percent of all targeted attacks struck small and medium-sized companies last year," he said.
Berger stressed that CUs rely on provisions of the 1999 Gramm-Leach-Billey Act (GLBA) to protect consumers' personal data, but retailers and other entities that handle similar personal and financial data are not subject to those same regulations.
"GLBA and its implementing regulations have successfully limited data breaches among credit unions," Berger said. "The best way to move forward and address data breaches is to create a comprehensive regulatory scheme for those industries that are not already subject to oversight."
The NAFCU CEO also reminded Congress that such breaches aren't merely "an inconvenience."
"Data security breaches are more than just an inconvenience to consumers as they wait for their plastic cards to be reissued," Berger said, noting that the Target breach impacted 110 million consumer records, while the Home Depot breach last year impacted 56 million payment cards. "Breaches often result in compromised card information leading to fraud losses, unnecessarily damaged credit ratings, and even identity theft."
A NAFCU survey in February revealed that the average respondent spent $136,000 on data security in 2014, and that the average estimated cost associated with merchant data breaches last year was $226,000 per credit union, with card reissuance, fraud loss and account monitoring constituting the bulk of those expenses.
"Unfortunately, credit unions often never see any reimbursement for their costs associated with the majority of data breaches," he said. "Even when there are recoupment opportunities, such as the recent Target settlement with MasterCard, it is usually only pennies on the dollar in terms of the real costs and losses incurred."
Berger's testimony called for national standards for safekeeping information, data security policy disclosures, burden of proof in data breach cases, and more.
"Consumers will only be protected when every sector of industry is subject to robust federal data safekeeping standards that are enforced by corresponding regulatory agencies," Berger's prepared remarks said. "It is with this in mind that NAFCU urges Congress to modernize data security laws to reflect the complexity of the current environment and insist that retailers and merchants adhere to a strong federal standard in this regard."