Press

Dear Chairman Hensarling and Ranking Member Waters:

On behalf of the Credit Union National Association (CUNA), I am writing to encourage you to hold hearings on the recent Target data breach. CUNA is the largest credit union advocacy organization in the United States, representing America’s 6,700 state and federally chartered credit unions and their 99 million members.

On December 18, 2013, Target announced it had suffered a breach that compromised 40 million credit and debit cards used at its stores between November 27, 2013 and December 15, 2013. As a result, millions of consumers, many of them reportedly credit union members, have been placed at risk of being victimized by thieves who could access their accounts or commit other forms of identity theft.

In the weeks following this breach, the first priority for credit unions has been to ensure that their members are protected from fraudulent transactions now and in the future. Unfortunately, due to the frequency of merchant data breaches, credit unions are all too aware of the steps they must take when they occur. The steps credit unions have been taking include notifying members who have been affected, helping them to monitor their accounts and urging them to review their account statements, reversing fraudulent transactions and reissuing their cards, when appropriate.

By contrast, Target’s response to the breach has been in line with some other companies’ responses to breaches since merchants are rarely held responsible for reimbursing financial institutions for the cost that the data breach has caused the financial institution or consumers to incur.

The cost of a merchant data breach – whether it is at a large national merchant or a local merchant – can be significant for credit unions of all sizes. Because of credit unions’ cooperative structure, the cost of such breaches are ultimately borne by credit union members. CUNA is currently surveying our members to obtain more information on the costs they have incurred as a result of this breach, and we hope to be able to provide later this month an assessment of the impact the Target breach has had on credit unions and their members.

Credit unions are capable of responding to these threats, but the questions our members have are why credit unions must bear the cost of the merchants’ negligence, and why Congress has not done more to make merchants liable for breaches of their data systems. We believe merchants that accept debit and credit cards should be subject to the same high data security standards as credit unions. Further, credit unions should have the ability in all instances to tell their members the name of the merchant where their accounts were compromised. And, merchants that have data breaches should by law be financially liable for the impact of the breach on affected consumers and financial institutions.

As this crime fades from the headlines and life returns to normal for consumers, credit unions and Target, we strongly encourage Congress to fully examine the chronic issue of merchant data breaches, their impact on consumers and financial institutions. Failure to hold merchants fully accountable for data breaches when they occur ultimately harms consumers, undermines their confidence in our payments system, and adds to their growing frustrations that government is not protecting their interests.

On behalf of America’s credit unions and their 99 million members, thank you again for your consideration to hold hearings on this matter. We appreciate your leadership on this issue.