How To Deal With A Breach

Data Breaches are a Big Problem

Merchants are not subject to the same federal data protection standards as financial institutions, such as credit unions and banks. This means that some merchants fail to invest sufficiently in data security measures. As a result, it can be easier for hackers to gain access to a person’s credit card number, debit pin number, or other sensitive data through a merchant. Hackers can then sell this information to bad actors, or use it themselves to fraudulently buy things with the stolen data.

For the past several years, merchant data breaches have been increasing.

Skyrocketing Number of US Data Breaches

Number of Breaches up 350% in Past Decade – up 44% over 2016.
178,955,069 Records Breached in 2017 alone!

Source: Identity Theft Resource Center

Fraudsters Gravitate to Those with Weakest Controls

Percent of Total Breaches

Source: Identity Theft Resource Center

A number of merchants have a bad track record and shift their mistakes to others

Although most consumers have probably only heard about a few breaches, over 1500 data breaches occurred in 2017 which exposed more than 178 million data records.

Source: The Identity Theft Resource Center

When a data breach occurs, the merchants are not required to pay the costs to send individuals their new cards and generally pay none of the fraudulent charges an individual may have on their cards or accounts. In fact, when merchants are responsible for the breach, they are rarely required to pay ANY costs incurred by others. Who is stuck paying these costs for data breaches? Your Credit Union or Bank—and ultimately, consumers like you.

If merchants can shift most of the costs of their data breaches to others, what incentive is there to increase their data security?

The answer is simple, none.

For More Information, Read the Op-Ed Pieces Below

Merchants must take responsibility

By: Jill Nowacki
New Britain Herald

Merchants must be required to safeguard financial data

By: Paul Gentile
Providence Business News

Credit Unions Have Been There to Protect Their Members and Customers

Consumers will be protected from fraudulent charges on their cards due to a breach, and the cost is generally picked up by the credit union, not by the merchant where the breach occurred.

Financial institutions are limited by law in disclosing many of the circumstances of a data breach. Often they are not able to disclose the merchant responsible.

Financial institutions clean up the mess when a merchant data breach occurs by informing members and customers and reissuing new credit and debit cards if required. In addition, financial institutions pursue criminals through available legal channels on behalf of their members, saving them time and legal expenses.

Credit unions and banks are working hard to adopt chip, but that will not reduce all the card-not-present fraud. And if a financial institution has not issued chip cards by the deadline, that institution is not eligible for any eventual reimbursement of any breach costs.

Ensuring members’ data safety is a top priority of your credit union.

Credit Union Members and Bank Customers Get Stuck With The Bill

After the Target breach for example, credit unions were left on the hook for $30.6 million, according to estimates by the Credit Union National Association (CUNA). Additionally, credit unions reissued roughly 4.6 million credit and debit cards in the aftermath.

Financial institutions not only cover the cost of fraud, but also costs of blocking transactions, reissuing cards, increasing staff at call centers and monitoring consumer accounts.

The data breach at Home Depot was larger than Target, costing credit unions an estimated $57.4 million dollars.

When a data breach occurs the merchant often shifts most of the costs and consumers are ultimately the ones that foot the bill.

Sometimes, financial institutions are reimbursed for data breaches, but when they are the reimbursement covers only a portion of the total cost.

Helpful Solutions to Data Breaches


and consumer notification standards with effective enforcement provisions are needed to ensure sensitive data is protected.


and notification standards that credit unions and banks are already subject to.


and regulations in favor of strong federal data protection and notification standards.


members and customers about a breach, including where it occurred.


for all those involved in the payments system for protecting consumer data.  The costs of a data breach should ultimately be borne by the entity that incurs the breach.

Time To Take Action


  • Let Congress know it is time to take action and hold merchants accountable for data breaches. Stop the Data Breaches!
  • Tell Congress merchants should be required to reimburse credit unions for the costs they incur as a result of merchant breaches.
  • Let Congress know that credit unions should be able to tell their members the name of a merchant causing the data breach.
  • Click here to Take Action NOW