WASHINGTON – The losses card issuers have suffered because of card security breaches reached the ears of lawmakers recently. Eugene Foley, CEO of the $196 million Harvard University Employees’ Credit Union testified before the House Financial Services Committee on May 4 about his credit union’s losses from the BJ’s Wholesale Club’s Card Security Breach. Foley offered testimony that the credit union had 700 of its 10,000 card accounts compromised in the 2004 incident and that he personally has been a victim of identity theft. The hearing addressed preventing card security breaches and protecting sensitive information. “While I was sitting in my office, with my own debit card securely in my wallet, my checking account was cleaned out by a series of card purchases made 3,000 miles away,” Foley testified in his prepared statement.” “In a matter of minutes, over $2,000 was stolen from my account. Given my position, I am particularly responsive in protecting my own sensitive information, but this caution is meaningless when entities that have captured and retained the data contained on the card stripe are careless or not compliant with security standards,” he added. Foley noted that card issuers are generally “fastidious” about keeping to the security regulations promulgated by the major card brands but that merchants have not generally been held to the same standard. Resources card issuers spend on security protection are squandered if merchants are not on board in the same effort, he added. Foley also made the point that the losses are not limited to canceling the old card and replacing it with a new one. Unfortunately protecting the consumer also carries another very substantial penalty by causing the consumer to question the safety and security of the card issuer rather than the merchant who has inadequately safeguarded their personal information,” Foley testified. “The card issuer is unfairly exposed to the majority of this “reputation risk” in addition to actual monetary costs.” He also decried the pace of getting information to the card issuer, as well as the tendency on the parts of the card brands to keep the breaches secret. Without accurate and timely information, Foley said, credit union members are often left with the impression that the credit union was responsible for the card security breach. Hours before Foley spoke, another credit union, the $270 million Sharon Credit Union, headquartered in Sharon, Massachusetts, reported being the victim of a card breach. According to stories in the local media, MasterCard has contacted the credit union with the news that 140 of its debit cards had been compromised when someone had hacked into a merchant’s database. As has become the case, the credit union was not told when the hacking event had occurred or which merchant had been involved. -