In an effort to assist consumers who may have been impacted by retail giant Target's security breach over the holiday season, the Credit Union National Association will open a data collection website that allows credit unions to report costs incurred during the crisis.
The CUNA announced during the final week of 2013 that it would be providing assistance to all members whose customers needed debit and credit cards replaced after a widespread data breach compromised the accounts of some 40 million Americans who shopped at Target stores from Nov. 27 to Dec. 15. In the interim, the association is requesting that all affected credit unions continue to tally their fraud costs so that information may be recorded in a timely fashion, the Credit Union Times reported.
Association President and CEO Bill Cheney said that his group has been in contact with members of Congress, as well as the U.S. Consumer Financial Protection Bureau, in an effort to determine what level of accountability credit unions must assume in the event of such data breaches - specifically those as massive and seemingly indefensible as the one that zeroed in on Target shoppers.
"As we all know, the Target breach – which has apparently compromised millions of credit and debit cards, many of them held by credit union members - has the potential for creating substantial expense for credit unions and other financial institutions." Cheney said. "We have been in close contact with the payments processors, getting their take on what has happened and the impact on financial services providers, especially credit unions."
Who's accountable?
Much of the discussion initiated with Congress, Cheney added, centered around the inherent responsibility of merchants to protect data, especially when the consequences of such compromises are so significant and widespread.
Many credit unions posted fraud alerts and notifications on their websites and social media outlets, while thousands of customers were issued new credit and debit cards while being forced to close old accounts. Bay Federal Credit Union in Capitola, Calif., which has more than 55,000 members, re-issued new payment cards for some 5,000-plus consumers who may have been affected.
"Our contact center is helping any members that call in with issues," said Tonee Picard, Bay Federal's executive vice president and chief development officer. "To date, we have not seen significant fraudulent transactions."
Hawaii Community Federal Credit Union, based in Kailua Kona, Hawaii, was forced to close more than 2,000 credit and debit card accounts for its members, of which there are 42,575 total, according to the CU Times.
In many cases, credit union institutions made the decision to close accounts as precautionary measures, in some cases before customers had even been notified. Tricia Buskirk, vice president of corporate development and marketing, said Hawaii Community proceeded with such measures when it became clear that calling each individual member was a much less efficient means of addressing the issue.
Other credit unions took varying measures to notify their clientele, affected or not.
Royal Credit Union of Eau Claire, Wis., sent a mass email to its members indicating that more than 6,000 associated cards were confirmed as compromised, and that more could issues could be identified. Members were able to continue using their current cards without risking penalty and would have them replaced by mail, which could take up to 21 days, and would then have to proceed with reactivation.
Golden 1 Credit Union, based in Sacramento, Calif., is the state's second-largest credit union with $650,950 members and approximately $8.2 billion in holdings. It estimated that at least 67,000 of its members had been affected by the Target data breach, and was taking action by replacing any cards suspected of compromise.
"Golden 1 is proactively replacing all potentially impacted cards," said Donna Bland, the credit union's president and chief executive officer. "The safety and security of all our members' accounts is a top priority for us."
Signs of solidarity
Meanwhile, another major credit union trade group, the National Association of Federal Credit Unions, joined the call to action in the wake of the Target breach. Dan Berger, the group's president and CEO, commended members of Congress who called for greater responsibility from retailers in protecting consumer information. Berger wrote Capitol Hill, asking that legislation be passed requiring merchants to adopt minimum data security standards and assume greater accountability in the event of such security failures.
"NAFCU believes merchants should bear responsibility for data breaches originating on their end," read an association statement.
Essentially, the credit union trade organizations and many other groups representing financial institutions want to emphasize that credit unions and banks are already strapped with plenty of regulations and standards to follow, and as such it should not be their responsibility to ensure the personal security of customers when shopping at large retailers such as Target.