Credit Unions Bank on State Data-Security Laws

Computerworld - As an increasing number of states consider bills seeking to codify pieces of the Payment Card Industry (PCI) Data Security Standard into law, a common thread is emerging: the involvement of credit unions in pushing the legislation.

California legislators last week held a hearing on a bill that would set new data security and breach-notification requirements for all organizations processing credit and debit card transactions in the state. Businesses hit by breaches would also have to reimburse affected banks and credit unions for the costs of alerting customers and reissuing cards.

The chief proponent of the bill, which was introduced in the state assembly in February, is the California Credit Union League. The CCULs sponsorship of the proposal mirrors recent efforts by credit union associations to pass similar measures in Minnesota and Texas  successfully in the former state and unsuccessfully in the latter. Burden of Breaches

The need for such legislation is being driven by the burgeoning costs that many credit unions are having to bear as a result of security breaches at merchants, said Keri Bailey, a lobbyist for the CCUL.

This is an issue of fundamental fairness, Bailey said. Right now, the burden is entirely on the financial institution. The federal Gramm-Leach-Bliley Act requires banks and credit unions that issue cards to do a whole lot to protect peoples data, she said. But the folks accepting this data [for transactions] have no skin in the game.

Individually, large and midsize credit unions can easily end up shelling out between $500,000 and $750,000 annually in breach-notification and card replacement costs, Bailey said. And those figures dont include any fraud-related charges, she noted.

Most credit unions are not-for-profit institutions, Bailey said. As a result, its harder for them to absorb the costs of responding to retail security breaches than it is for banks, she added.

The bill in California has goals similar to those of the Plastic Card Security Act that was signed into law in Minnesota two weeks ago. The requirements included in the Minnesota law and the California bill incorporate elements of the PCI standard, which was developed by the five major credit card companies.

Another PCI-derived bill was unanimously approved by the Texas House of Representatives in early May but didnt make it through that states Senate before the latest biennial legislative session ended last week.

Such measures are needed to prod retailers to become more serious about their data security practices, said Steve Rowen, an analyst at Retail Systems Alert Group, a consulting firm in Newton, Mass.