Data Storage Remedies May Be Coming

Vicky Franchino, Credit Union Magazine
May 6, 2008 | COMMENTS

As the numerous data breach scandals of recent years prove, there's an epidemic of inappropriate data storage, and credit unions are paying the cost.

Remedies and solutions could come from the major card companies and legislative changes:

• Payment Card Industry (PCI) Security Standards Council. Founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International, this group established a PCI Data Security Standard. The standard includes 12 requirements to help retailers and others involved in payment processing build secure networks and protect cardholder data. Yet meeting these standards is voluntary, and the group can't levy fines or operational consequences against businesses that don't meet the standards.

• ID Theft Task Force. President Bush formed this group in 2006. The attorney general and the Federal Trade Commission chairman headed it, and it made final recommendations in 2007. Recommendations included decreased dependence by federal agencies on Social Security numbers, asking businesses to adhere to national notification standards regarding breaches, and a request for lawmakers to amend current statutes so ID thieves could be prosecuted.

• State regulations. Numerous states—and state credit union leagues—are trying to implement regulations to prevent businesses from inappropriately storing customer data (i.e., personal identification numbers, security codes, or magnetic strip information) and make violators liable. To date, only Minnesota has succeeded. Its Plastic Card Security Act passed in May 2007 and doesn't allow businesses to store data for more than 48 hours after transactions are authorized.

In late February, the Washington State House of Representatives passed legislation allowing credit unions to sue negligent third-party data breachers if the credit unions incurred costs to protect members from fraud and ID theft. The bill was expected to face banker and retailer opposition in the Senate.

Helping Members after a Breach

If your credit union experiences a data breach, it's critical to take steps to protect your members. For example, the National Institute of Health Federal Credit Union in Rockville, Maryland gave affected members free access to an ID theft monitoring and assistance program called Identity Theft 911, Scottsdale, Arizona. It includes credit monitoring; fraud alerts placed on credit bureau files, a three-in-one report covering the three major credit bureaus, and notification to credit bureaus, creditors and collectors, and government agencies. Fort Bragg (N.C.) Federal Credit Union also partners with the company for victim resolution services.

Priority One Credit Union in South Pasadena had a data breach when a vendor printed account and Social Security numbers on the outside of election ballots that were mailed to members. In response, it offered members a free one-year membership in a credit monitoring service.

This story first appeared at www.creditunionmagazine.com and is reprinted with permission.