November 29, 2016 at 5:00 am ET
While Election 2016 is in the rearview mirror, our work is not done. We must come together to ensure that we find common ground to build a better nation for everyone, regardless of political affiliation.
One area that we can all agree needs improvement is data security. Of particular concern is the rampant growth of new retail data breaches, which have become all too regular. The nation’s data security standards must be improved to address this trend, and fortunately, we have a great foundation to build upon.
Seventeen years ago, Congress passed S. 900, the Gramm-Leach-Bliley Act. The final GLBA vote count in the House was 362-57. In the Senate it was 90-8.
The GLBA established a national data security standard for financial institutions that requires them to protect sensitive data and make their information-sharing policies clear to their customers. Under GLBA, credit unions and other financial institutions cannot disclose member or customer account numbers or share them for marketing purposes. They’re required to provide account holders notices that explain what information is collected about them and to describe how that information is shared, used and protected. Financial institutions are required to identify and evaluate risks to consumer information and to develop, test and update its plans to mitigate risk.
It is good policy, but 17 years later, there still are many industries that handle consumer financial information but operate without any national data security standards. Consumers are at significant risk as a result.
Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.) and Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) have tried to address that vulnerability. The Data Security Act — H.R. 2205 and S. 961 — would apply GLBA-like standards to the retail industry in the handling of consumer financial information.
Like GLBA, H.R. 2205 has significant bipartisan support. There are 25 Republican and 16 Democratic cosponsors in the House.
The financial services industry strongly supports H.R. 2205, which will compel retailers to get serious about protecting their customers at the point of purchase.
Over the last 17 years, the financial services industry has gone above and beyond the requirements set forth in Gramm-Leach-Bliley, and today we’re continuing to invest in new technologies, including physical biometrics like facial and voice recognition, tokenization, point-to-point encryption and predictive fraud analytics that will better protect the individuals and businesses that entrust us with their information.
Retailers, meanwhile, continue to lack any national federal standard for consumer security for information that they have access to.
In March, consumers found out about a Wendy’s data breach that, so far, has affected between 300 and 1,000 stores and millions of customers. In May, it became apparent that customers at a Fredericksburg, Va., Wal-Mart had their card information, including PIN numbers, stolen after skimmers were installed on payment kiosks. At least 37 customers had their accounts drained because of the breach.
Still, retailers continued their lobbying campaign against H.R. 2205.
This past June, Noodles & Company announced customers in 27 states and Washington had their credit and debit card information stolen after malware was installed on point-of-sale terminals.
Still, retailers opposed H.R. 2205.
In August, HEI Hotels & Resorts revealed that consumers at 20 of their hotels had their card payment data exposed.
Did retailers finally give up their opposition to H.R. 2205? Not a chance. In its September 2016 “Issues Guide,” the National Association of Convenience Stores said it “strongly opposes” this bipartisan legislation.
These breaches don’t just harm consumers once; they have a ripple effect. The cost of reissuing payment cards falls disproportionally on smaller financial institutions, like credit unions. Every dollar spent on replacement cards is a dollar that credit unions do not have available to lend to their members. In NAFCU’s October “Economic & CU Monitor,” respondents reported that the percentage of operating budgets devoted to IT/cybersecurity has nearly doubled over the last five years.
Lobbying groups that represent merchants will fight hard against H.R. 2205 and similar legislation in the lame-duck session of Congress. If they have their way this month and next, they’ll continue their campaign into the 115th Congress—no matter how many consumers are devastated by breaches at their locations.
Legislation to set national data security standards for retailers enjoys broad bipartisan support. To protect the American people and prove that Congress can get something done, even in the wake of a tough election and partisan acrimony, lawmakers should act like it’s 1999 and pass H.R. 2205.
Dan Berger is president and CEO of the National Association of Federal Credit Unions.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Submission guidelines can be found here.