WASHINGTON–In advance of a hearing by the House Homeland Security Subcommittee on Investigations this week on private sector data breaches, both CUNA and NAFCU sent letters outlining their priorities for any related legislation.
“Credit unions have met with members of this committee to detail damage to credit unions and their members from data breaches,” said CUNA in its letter. “The current gaps in data protection and privacy laws hurt consumers and businesses as information is misused by criminals and other actors with malicious intent. Financial institutions are at the vanguard for misuse of stolen data.”
According to CUNA, the growing issue extends beyond the financial services industry and robust privacy and data security requirements for all industries is becoming increasingly necessary.
Other Points Raised
The CUNA letter further calls on Congress to work with the administration to “to finally address consumer data privacy in a meaningful way.”
Among other points expressed in the letter:
- Any new privacy law should cover both privacy and data security. There cannot be privacy of data without protection from loss due to breach or other types of theft
- The law should cover all institutions, not just tech companies, credit-rating agencies, and other narrow sectors of the economy. Any company that collects, uses or shares personal data or information has the opportunity to misuse the data or lose the data through breach
- Data security requirements should be based upon protection of data to prevent theft and misuse
- Notification or disclosure after the fact are important but are not the stopping point for adequate protection. By the time a breach is disclosed, harm could already have befallen hundreds of thousands, if not millions, of individuals, so robust protection is paramount for any new requirements
- A law should provide mechanisms to address the harms that result from privacy violations and security violations, including data breach. Increasingly courts are recognizing rights of action for individuals and companies (including credit unions). However, individuals and companies should be afforded a private right of action to hold those that violate the law accountable, and regulators should have the ability to take action against entities that violate the law
- Any new law should preempt state requirements to simplify compliance and create equal expectation and protection for all consumers. Just like moving away from the sector specific approach, the goal should be to create a national standard for all to follow.
The full CUNA letter can be read here.
NAFCU’s Letter
Separately, in its letter NAFCU noted consumers and credit unions have suffered from large private sector data breaches, like the ones at Equifax and Marriott International. “Credit unions suffer steep losses in re-establishing member safety after a data breach, often absorbing significant fraud-related losses. Credit unions and their members are victims in such breaches, as members turn to their credit union for answers and support. Furthermore, as credit unions are not-for-profit cooperatives, credit union members are the ones that are ultimately impacted by these costs, wrote NAFCU’s Brad Thaler.
NAFCU reiterated its position it believes there is a need for a national data security standard for entities that collect and store consumers’ personal and financial information that are not already subject to the same stringent requirements as depository institutions. “While the Gramm-Leach-Bliley Act (GLBA) established a national data security standard for depository institutions over two decades ago, other entities who handle consumer financial data do not have such a national standard. Even though credit bureaus, such as Equifax, are governed by the GLBA’s data security standards, they are not examined by a regulator for compliance with these standards in the same manner as depository institutions,” NAFCU said.
Guiding Principles
The letter includes NAFCU’s set of guiding principles for any legislation, which include:
- · Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches resulting from card use be reduced. A reasonable and equitable way of addressing this concern would be to enact legislation to require entities to be accountable for costs of data breaches that result from negligence on their end.
- · National Standards for Safekeeping Information: It is critical that sensitive personal information be safeguarded at all stages of transmission. Under the GLBA, credit unions and other depository institutions are required to meet certain criteria for safekeeping consumers’ personal information and are held accountable if those criteria are not met through examination and penalties. Unfortunately, there is no comprehensive regulatory structure akin to the GLBA that covers other entities who collect and hold sensitive information. NAFCU strongly supports the passage of legislation requiring any entity responsible for the storage of consumer data to meet standards similar to those imposed on depository institutions under the GLBA.
- Data Security Policy Disclosure: Many consumers are unaware of the risks they are exposed to when they provide their personal information. NAFCU believes this problem can be alleviated by simply requiring merchants to post their data security policies at the point of sale if they take sensitive financial data. Such a disclosure requirement would come at little or no cost to the merchant but would provide an important benefit to the public at large.
- Notification of the Account Servicer: The account servicer or owner is in the unique position of being able to monitor for suspicious activity and prevent fraudulent transactions before they occur. NAFCU believes that it would make sense to include entities such as financial institutions on the list of those to be informed of any compromised personally identifiable information when associated accounts are involved.
- Disclosure of Breached Entity: NAFCU believes that consumers should have the right to know which business entities have been breached. “We urge Congress to mandate the disclosure of identities of companies and merchants whose data systems have been violated so consumers are aware of the ones that place their personal information at risk,” NAFCU said.
- Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the violation of existing agreements and law by those who retain payment card information electronically. Many entities do not respect this prohibition and store sensitive personal data in their systems, which can be breached easily in many cases.
- Burden of Proof in Data Breach Cases: In line with the responsibility for making consumers whole after they are harmed by a data breach, NAFCU believes that the evidentiary burden of proving a lack of fault should rest with the negligent entity who incurred the breach.