“Whatever the weak link is in the point of commerce, that’s where the fraudsters are going to go,” says Debra Schwartz.

“Whatever the weak link is in the point of commerce, that’s where the fraudsters are going to go,” says Debra Schwartz. Photo by Jamie Scott Lytle.

— Debra Schwartz, CEO of Mission Federal Credit Union, among the largest such institutions serving San Diego County, recently testified before a U.S. House of Representatives subcommittee hearing on data security.

Representing the National Association of Federally-Insured Credit Unions (NAFCU), a trade organization, Schwartz lobbied legislators Nov. 1 to introduce a bill that would subject businesses to similar standards as those to which financial institutions are held when it comes to data security and customer notification in the wake of a breach.

The association has been pushing legislators to establish a national standard for the protection of consumer data since the massive breach at retailer Target Corp. in 2013. Schwartz is the organization’s treasurer and a director-at-large; she also heads its legislative committee.

Mission Federal has about $3.4 billion in assets, 30 local branches and more than 220,000 customers. Since 2003, the credit union has been notified of 1,400 merchant data breaches, according to Schwartz.

It will spend more than $1 million on its cybersecurity in 2017, said Schwartz, who held a number of executive roles within the credit union industry prior to joining Mission Federal, including chief financial officer at First Future Credit Union and an executive vice president at San Diego County Credit Union.

On the Hook for Fraud Losses

“Banks and financial institutions, we’re subject to a lot of rules and regulations — and it’s our reputation, so we take it very seriously,” she said. “Knock on wood, we haven’t had any data breaches that originated at Mission Fed. So if a member’s card is compromised, it happens at a different point, whether it’s the Equifax breach, the Target breach, the Home Depot breach or Joe’s taco hut.”

Regardless, the credit union is often on the hook for fraud-related losses.

Such breaches can cost banks and credit unions significant amounts of money. Roughly two years after the breach at Target, in which tens of millions of consumers had their personal information exposed, the Minneapolis-based retailer agreed to pay nearly $40 million to resolve claims by banks and credit unions that said they lost money as a result of the breach.

But that is the exception. And while major fraud can be flagged by the algorithms financial institutions deploy to protect accounts, small-dollar spending, often used to test out whether a consumer is watching their account closely, is tricky.

“We look for unusual transactions, but we don’t know if that $9.99 internet purchase is legitimate or not,” Schwartz said.

Cost of Compliance

Some merchants oppose legislation that would require business to meet a national standard for data security because of the cost of compliance. But Schwartz said NAFCU and bank representatives with which the organization is working want any legislation put into effect to be modeled similar to the Gramm-Leach-Bliley Act, the bill passed in 1999 that requires financial institutions to safeguard sensitive data.

That regulation, she said, was designed to be flexible and scalable depending on an institution’s size.

“We’re not asking the merchants to be subject to the same standards that a bank is, just some basic standards,” she said.

A survey conducted by the NAFCU in 2015 found credit unions had spent an average of $136,000 on data security measures and $226,000 in costs associated with merchant data breaches in the year prior. Since then the sophistication and frequency of cyberattacks have increased.

Lack of Regulatory Requirements

“Whatever the weak link is in the point of commerce, that’s where the fraudsters are going to go,” Schwartz said. “You can literally stack up credit card receipts in your break room … and there’s no regulatory requirement that you shred old data, or have virus protection, or even a password-protected computer system.”

A bill proposed in 2015 and backed by the NAFCU would have required businesses that handle sensitive financial information to implement an information security program and to provide notification of breaches likely to cause consumers harm. But the proposal expired at the end of the 114th Congress.

Equifax Breach

The breach earlier this year at credit reporting agency Equifax, however, turned the spotlight on the importance of data security because of how many people were affected, Schwartz said. Credit agencies, like financial institutions, are held to data security standards, but there is no enforcement of those standards, she added.

“We’re going to keep pressuring members of Congress to put together something similar to the bill that was introduced (previously) and pull out anything that might seem to be a stumbling block so we can move this forward,” she said. “If you can look at a bright side of the Equifax breach, it really, really opened everyone’s eyes.”