A recent data security breach affecting 51 UPS franchise stores prompted the National Association of Federal Credit Unions to renew its call for Congress to impose new regulations on retailers that collect, use, and store customer data.

The letter, delivered to House and Senate leaders on Friday, says that the malware attack on UPS Stores went undetected for eight months and affected upwards of 100,000 consumer transactions. It follows a spate of similar breaches, including those at supermarket chain Supervalu, Smucker’s, Sally Beauty, Neiman Marcus, Michaels, and Target.

“When Congress reconvenes in September, legislative action to address data breaches that occur at the hands of retailers must be a priority,” the NAFCU letter says. “There is no federal standard for merchants regarding the safekeeping of financial information or data breach notification efforts... and small financial institutions like credit unions struggle to make consumers whole in the wake of breaches they have no control over and didn’t contribute to.”

Among the legislative and regulatory changes urged by the trade association:

Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches resulting from card use be reduced by requiring entities to be accountable for costs of data breaches that result on their end, especially when their own negligence is to blame.

National Standards for Safekeeping Information: NAFCU supports legislation requiring any entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act.

Data Security Policy Disclosure: Requiring merchants to post their data security policies at the point of sale if they take sensitive financial data. 

Notification of the Account Servicer:  Including financial institutions on the list of those to be informed of any compromised personally identifiable information when associated accounts are involved.

Disclosure of Breached Entity: NAFCU urges Congress to mandate the disclosure of identities of companies and merchants whose data systems have been violated so consumers are aware of the ones that place their personal information at risk.

Enforcement of the Prohibition on Data Retention: Addressing the violation of existing agreements and law by merchants and retailers who retain payment card information electronically. 

Burden of Proof in Data Breach Cases: NAFCU says the evidentiary burden of proving a lack of fault should rest with the merchant or retailer who incurred the breach, although current law is currently vague on this issue. The burden of proof should be clarified by statute, it says.

The Target breach of over 110 million customer records was especially onerous on credit unions and could end up costing them nearly $30 million from fraud monitoring, reissuance of cards, and actual losses from this breach, the letter says, adding that “credit unions will likely never recoup much of this cost, as there is no statutory requirement on merchants to be accountable for costs associated with breaches that result on their end.” A recent survey of NAFCU-member credit unions found that the 2006 data breach at TJ Maxx stores led to a median cost of $32,000 per institution, with only about 10 percent of those costs ever recovered.