WASHINGTON—Provisions that should be part of any legislation to establish a national data security standard have been outlined in separate letters to Congress by NAFCU and CUNA.
The letters were sent in response to a request from Senate Banking Committee Chairman Mike Crapo, (R-ID) and Ranking Member Sherrod Brown (D-OH) for information on the topic.
NAFCU Vice President of Legislative Affairs Brad Thaler provided input regarding what could be done through legislation, regulation, or by implementing best practices to ensure consumers have control over their data, are notified of breaches in a timely manner, know what data is being collected and how it's used, and how collected data impacts credit score reports.
Included in Thaler’s responses were the guiding principles NAFCU would like to see incorporated in data security legislation, primarily to ensure consumers are informed of what data is retained and how it's protected, timely disclosure of breaches, and that negligent entities are held responsible when a data breach occurs on their end. He also reiterated an argument NAFCU has previously made, that credit bureaus should be examined for compliance with the Gramm-Leach-Bliley Act (GLBA).
CUNA’s Point of View
In CUNA’s letter, the trade association stated Congress should not expect any data privacy law it may enact to succeed in providing the desired level of privacy if such legislation does not also require all “businesses and originations that collect, use and house personally identifiable information (PII) to protect that data consistent with strong, federal security requirements.”
“A federal data security standard is essential to provide Americans with the comfort and confidence that the information that they share with businesses and organizations will remain private and secure,” CUNA wrote
As the Senate Banking Committee has jurisdiction over financial institutions, CUNA said it urges it to “work with other committees and the administration to address consumer data privacy and data security so that all Americans can feel confident that their personal information is protected from breach and will not be misused by any company that possesses it.”
Suggested Principles
CUNA suggested the following principles as guidance for federal privacy and data security legislation:
- Data privacy and data security are hand in glove: Any new privacy law should include both data privacy and data security standards. Simply put, data cannot be kept private unless it is also secured. Congress should enact robust data security standards to accompany and support data privacy standards, CUNA stated.
- Everyone should follow the same rules: The new law should cover all business, institutions and organizations. Consumers will lose if Congress focuses only on tech companies, credit-rating agencies, and other narrow sectors of the economy because any company that collects, uses or shares personal data or information can misuse the data or lose the data through breach, CUNA said.
- There should be one rule for the road: Any new law should preempt state requirements to simplify compliance and create equal expectation and protection for all consumers. CUNA understands that some states have strong security and privacy requirements, according to CUNA. Congress should carefully examine those requirements and take the best approaches from state law, as appropriate. A patchwork of state laws with a federal standard as a floor will only perpetuate a security system littered with weak links. The federal law should be the ceiling and the ceiling should be high. Just like moving away from the sector specific approach, the goal should be to create a strong national standard for all to follow, the trade group said.
- Breach disclosure and consumer notification are important but these requirements alone won’t enhance security or privacy: Breach notification or disclosure requirements are important, but they are akin to sounding the alarm after the fire has burned down the building, CUNA said. By the time a breach is disclosed, harm could already have befallen hundreds of thousands, if not millions, of individuals
- Hold entities that jeopardize consumer privacy and security accountable through private right of action and regulatory enforcement: The law should provide mechanisms to address the harms that result from privacy violations and security violations, including data breach. Increasingly, courts are recognizing rights of action for individuals and companies (including credit unions), CUNA suggested. However, individuals and companies should be afforded a private right of action to hold those that violate the law accountable, and regulators should have the ability to act against entities that violate the law.