WASHINGTON–A credit union CEO told the House Financial Services Subcommittee on Financial Institutions and Consumer Credit here that it’s about time merchants be held to the same data security standards as credit unions and banks.
Testifying before the committee was Kim Sponem, president/CEO of Summit Credit Union in Madison, Wis., who was among the witnesses at the hearing on “Examining the Current Data Security and Breach Notification Regulatory Regime.”
Sponem told the committee data breaches are occurring “far too often” and are usually the result of other entities, including merchants not taking the steps needed to secure data. She said the $3-billion Summit CU spent more than $1 million during 2017 as the result of breaches.
“More importantly, the negative impact on consumers is significant and sometimes devastating,” Sponem said. “Imagine you are making a purchase and your card is declined. You don’t know why. There is a line behind you. You are embarrassed and concerned. You figure out a different way to pay or walk away angry. You call your financial institution. There are fraudulent charges on your card. You now know the purchase was declined because of fraud and you have the stress of wondering just what information a fraudster has on you. Or you are using your debit card in another country to get currency. It is shut down. Now what do you do? You are worried someone is depleting your checking account. How long will it take to get resolved? How will you get money in another country? Panic sets in. Even worse. Someone stole your identity and took out a loan in your name. Now your credit is compromised. How do you get it back? It can take years and tens of thousands of dollars to rectify.”
Sponem said replacement cards cost the credit union between $3 and $5 per card, and any cards that need to be overnighted mean additional expense to the credit union. Members then need to go through and update all their automatic payments, she reminded.
“All fraud and fraud mediation are paid for by financial institutions,” said Sponem. “There is no incentive for companies that hold personal information to protect it – and that is just plain wrong.”
Sponem noted that under current law, credit unions and banks are subject to data security requirements, necessitating the development of procedures and systems to protect consumer information from theft, including notifying consumers in the event of a data breach.
“However, other entities that hold personal information are subject to no such standards,” she said. “Any company that holds consumers’ personal information necessarily or unnecessarily should be held to a national standard. Americans deserve a strong national data security standard that requires all businesses to protect and safeguard personal information.”