Menu

The Data Security Act of 2015: How Credit Unions Benefit

The Data Security Act of 2015: How Credit Unions Benefit
Posted: Jan 19, 2016
Comments: 0
Author: Lou Grilli

The U.S. House Financial Services Committee recently passed the Data Security Act of 2015. The bill has some positive implications to credit unions and financial institutions, but does present some challenges for state privacy laws and small businesses. The act would establish consistent standards nationwide for data security requirements and data breach notification requirements.

Without the act, if a merchant is negligent to upgrade security software to protect cards on file, or a small merchant doesn’t implement necessary security to protect credit and debit card information collected over the internet, in-store, or over the phone, the card issuer is responsible for making the cardholder whole in the case of breach of the cardholder’s data. That is to say, the merchant, the one handling the card data, is not liable for the fraud incurred even if it is under their control. The roll-out of EMV does not address breaches of the millions of card data being stored by merchants. Also when there is a breach, there is no rule that says when or if the breach should be announced, and to whom.

Great for Credit Unions. Challenging for Small Businesses.

The Data Security Act is written to level the playing field by creating a nationwide standard to address these holes. This is great for credit unions as it potentially decreases the cost of fraud by forcing merchants to meet federal standards while not adding any additional burdens to credit unions. However, it may not be great for small business owners, who may not be aware of, or be able to meet compliance standards.

The act presents other challenges as well. Seven states plus the District of Colombia have rules for a “harm trigger” that is far more strict than the proposed federal rule. It also potentially undermines the Communications Act, which contains strong breach notification for telecomm, cable and satellite customers’ data. And it takes away existing state redress laws by eliminating state attorneys general powers to seek restitution on behalf of consumers. State attorneys general would still be able to seek civil penalties and injunctive relief, but would not provide harmed consumers with relief.

The Act May Not Make It to Law

Given the current movement toward states’ rights in both houses, the Data Security Act of 2015 may not make it to law. That would be unfortunate since security is only as strong as the weakest link, and that weakest link currently is the handling of card data used by merchants in card-not-present transactions. Ideally, the bill will be amended to appease the factions that oppose the watering down of current state rules, while keeping intact the intended desire to create a minimum security requirement and breach notification standard for all merchants, large and small.


Print
Rate this article:
No rating
Lou Grilli

Lou GrilliLou Grilli

Lou is the Director of Payments Strategy at CSCU and is responsible for providing leadership to the organization for emerging payments and industry trends, as well as managing the product portfolio.

Other posts by Lou Grilli

Full biography , Contact author

Please login or register to post comments.

search

Featured Stories