WASHINGTON—The war of words between credit unions and merchants over data breaches continues to escalate, but it remains to be seen what effect the new Republican majority in Congress will have on the battle.
CU trade groups have spoken up loudly that retailers must be responsible for making members whole following any losses sustained during a merchant data breach, and on Oct. 30 six members of retail trade groups sent a letter to CUNA and NAFCU outlining their position.
In the letter, the merchants' representatives referred to the Merchant-Financial Services Security Partnership, which includes more than 250 executives from across the retail and financial services spectrums working to protect businesses, institutions and consumers from data breaches.
"Unfortunately, while retailers, restaurants, convenience stores, hotels, national banks, card networks and community banks have joined the partnership," the merchants wrote, "one constituency has still not seen fit to participate: credit unions. It is past time we started working together for the greater good of America's consumers."
The presidents of the two CU trade groups fired back, reminding that merchant data braches in the last 12 months have cost credit unions and their members at least $90 million—and that's just for the breaches at Target and Home Depot ($30 million and $60 million, respectively).
"There is no end in sight as long as you resist federal data security standards, like those credit unions must follow under the Gramm-Leach-Bliley Act," wrote CUNA CEO Jim Nussle and NAFCU CEO B. Dan Berger. The pair said the trades would be willing to take part in a collaborative effort only if merchants and their trade groups agreed to work within the same data-security standards that CUs and other FIs are currently held to.
"In short," Nussle said in a subsequent statement, "we'll back off highlighting the costs of data breaches on credit unions when merchants step up and take responsibility and stop making consumers vulnerable."
In his own statement, Berger similarly quashed the idea of the CU trades joining the merchants' coalition.
"We will join their partnership when retailers and merchants begin properly protecting consumers' data and investing in the technology necessary to do so," he said.
'A Front-Burner Issue'
The dueling letters came only days before the midterm elections, in which Republicans gained control of the Senate and increased their majority in the House—the first time the GOP has controlled both chambers of Congress since 2006.
"We really hope that the new Congress is going to pay close attention to what's going on," said Katie Marisic, VP of political affairs at NAFCU, adding that FIs continue to be the ones "picking up the slack" as data breaches happen with increasing regularity.
Ryan Donovan, SVP of legislative affairs at CUNA, noted that this kind of legislation has been a struggle to move through Congress not because of the party make-up but because it involves multiple committees which can't always get a bill to the floor for a vote.
"We think that it is very reasonable to ask Congress to hold the merchants to the same type of data standards that credit unions face," he said.
John McKechnie, who formerly worked at NCUA and CUNA and is now a partner at D.C.-based consulting firm Total Spectrum, told CU Journal that regardless of which party is in power, credit unions and their trade groups "have to continue to make this a front-burner issue."
"The thing we have to remember, though, is that both parties seem to be split in terms of preferring retailers and financial institutions," he added. "Both industries seem to have good friends on both sides of the aisle. Even though you have a new majority, I don't think the Republicans are going to be any more or less receptive. It's a matter of credit unions putting the elbow grease in and working very hard to make sure Congress sees us as very persistent in standing up for the consumer on this."
State or Federal?
Some analysts, however, said that what Congress does—or doesn't do—may not matter.
"If businesses continue to be breached and the politicians and public continue to have concerns [about data security] who usually steps in to fill that is the government. If Congress is not going to do it or can't do it, I think you'll start seeing states do it," said Collin Hite, a partner with the Insurance Recovery Group at Hirschler Fleischer in Richmond, Va., pointing that either governors or attorneys general could lead that charge at the state level.
"We've seen it in other areas where attorneys general have been very aggressive against other industries for issues, such as some of the insider trading where they've tried to take the lead," he said. "I think you'll see states take that lead. I think businesses would prefer to have a national, uniform standard, but somebody's going to have to step into the breach."
Jake Olcott, a principal with Good Harbor Security Risk Management LLC, concurred about the possibility of states taking the charge on data standards, noting that in some cases "state-by-state laws have almost made the idea of a national standard irrelevant."
Speaking before the election, Olcott said that single-party control could increase the likelihood of meaningful Congressional action.
"Whenever you have a situation where there is single-party control of both houses of Congress it is obviously much easier to legislate than when different parties are controlling the houses," he said.
But, he added, "from a policy standpoint, there has been so much conversation on the Hill in recent years about how terrible cyber security is. Yet that understanding of the problem has not necessarily led to any action, even though it seems like both sides aren't really too far off."