Credit unions and banks do not agree on much, but on Tuesday they were able to put their differences aside and draft a join letter to Congress demanding legislation that would require stronger data security standards for retailers.
The letter, signed by the Credit Union National Association, National Association of Federally-Insured Credit Unions, American Bankers Association, Consumer Bankers Association and Independent Community Bankers of America, was addressed to Rep. Bob Latta (R-Ohio), chair of the House Energy and Commerce Subcommittee on Digital Commerce.
The letter begins by pointing out data security breaches “continue to put millions of consumers at risk” and an acknowledgement that protecting the sensitive personal and financial information of consumers is “vitally important.”
“Stopping breaches is critical for consumers, and also important to our members who often have the closest relationships with those affected,” the letter states. “Data breaches impose significant costs on financial institutions of all sizes because our first priority is to protect consumers and ensure that they have no liability for fraud that typically follows a breach.”
The five trade associations point out their members provide relief to victims of data breaches, regardless of where the breach occurs. “In our view, it is critical for your Committee and the Financial Services Committee to collaboratively move forward on legislation that puts in place strong national data security and breach notification requirements and eliminates the current inconsistent patchwork of state law,” they assert.
The trades argue Congress should enact legislation encompassing the following elements:
· A flexible, scalable standard equivalent to what is in the Gramm-Leach-Bliley Act (GLBA) for data protection that factors in (1) the size and complexity of an organization, (2) the cost of available tools to secure data, and (3) the sensitivity of the personal information an organization holds, as well as guarantees that small organizations are not burdened by excessive requirements.
· A notification regime equivalent to what is in the Gramm-Leach-Bliley Act (GLBA) requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm.
· Consistent, exclusive enforcement of the new data security and notification national standard by the Federal Trade Commission (FTC) and state Attorneys General, other than for entities subject to state insurance regulation or who comply with the Gramm-Leach Bliley Act or the Health Insurance Portability and Accountability Act of 1996/HITECH Act. For entities under its jurisdiction, the FTC should have the authority to impose penalties for violations of the new law.
· Clear preemption of the existing patchwork of often conflicting and contradictory state laws for all entities that follow this national data security and notification standard.
Seeking Oversight, Accountability, Compliance
According to the trade associations, any legislation enacted into law must ensure all entities that handle consumers’ sensitive financial data have in place a robust – yet flexible and scalable – process to protect data, which they say must be coupled with effective oversight and enforcement procedures to ensure accountability and compliance.
“This is an important step to limit the onslaught of breaches and reduce risks to consumers and the significant costs imposed on our members from breaches,” the letter states. “This standard should apply to all entities that handle sensitive personal and financial data in order to provide meaningful and consistent protection for consumers nationwide.”
The letter concludes with a promise to work with Chairman Latta and members of the committee.
“Our existing payments system serves hundreds of millions of consumers, retailers, financial institutions and the economy well. Protecting this system is a shared responsibility of all parties involved and we must work together and invest the necessary resources to combat never-ending threats to the payments system.”
