WASHINGTON—NAFCU has sent three letters to Congress related to the markup of bills in the House and several different hearings.
The letter sent include:
To The Senate Subcommittee on Manufacturing, Trade, and Consumer Protection
NAFCU shared with lawmakers the trade association’s guiding principles to help define key issues that credit unions would like to see addressed in comprehensive data security legislation.
Brad Thaler, vice president of legislative affairs told the subcommittee ahead of a hearing on the data privacy issues of the unique issues being faced by small business. In the letter, Thaler reiterated the association's call for a strong national data security standard, noting that "a major aspect of consumer privacy is ensuring the security of a consumer's financial data."
He also outlined NAFCU's guiding principles for data security legislation, primarily to ensure consumers are well informed of what data is retained and how it's protected, timely disclosure of breaches, and that negligent entities are held responsible when a data breach occurs on their end.
To the House Subcommittee on Economic and Consumer Policy Committee on Oversight & Reform
Ahead of a hearing yesterday on “Improving Data Security at Consumer Reporting Agencies,” NAFCU said the recent Equifax data breach has highlighted the need for addressing consumer data security issues at national credit bureaus and beyond. “As NAFCU has long advocated, there is a need for a national data security standard for entities that collect and store consumers’ personal and financial information that are not already subject to the same stringent requirements as depository institutions,” wrote Thaler.
While credit bureaus, such as Equifax, are governed by data security standards set forth by the Gramm-Leach-Bliley Act (GLBA), they are not examined by a regulator for compliance with these standards in the same manner as depository institutions, Thaler added, noting the Equifax breach reportedly occurred via a “known” security vulnerability that software companies had issued a patch to fix several weeks prior.
“If Equifax had acted to remedy the vulnerability in a reasonable period of time, this breach may not have occurred. When a breached entity knew or should have known about a threat, and fails to act to mitigate it, the negligent company must be held financially liable,” Thaler said. “Credit unions suffer steep losses in re-establishing member safety after a data breach like the one at Equifax and are often forced to absorb fraud-related losses in its wake. Credit unions and their members are victims in this breach, as members turn to their credit union for answers and support when such breaches occur. As not-for-profit cooperatives, credit union members are the ones that are ultimately impacted by these costs.”
To the House Committee on Financial Services Ahead of a Markup of HR 1595, the Secure and Fair Enforcement (SAFE) Banking Act of 2019
“As the Committee is aware, the vast majority of states have authorized varying degrees of marijuana use, ranging from limited medical use to decriminalization and recreational use at the state level,” Thaler wrote. “NAFCU has heard from a number of our member credit unions in these states that they are being approached by their members, or potential members, that have small businesses that are in, or that serve, the legal cannabis industry in their state in order to obtain banking services for those businesses.”
Stating NAFCU is not taking a position on the broader question of the legalization or decriminalization of marijuana at any degree at the federal or state level, the trade group urged Congress to examine what legislative steps can be taken to provide greater clarity and legal certainty at the federal level for credit unions that choose to provide financial services to state-authorized MRBs and ancillary businesses that may serve those businesses in states where such activity is legal.