Trades at odds over data breach notification bill

Major credit union trade groups are at odds over a House bill that would update consumer notification requirements in the event of a data breach.

The House Financial Services Committee last week passed the Consumer Information Notification Requirement Act, or H.R. 6743, aimed at modernizing notification requirements for credit unions and other financial institutions implemented under the Gramm-Leach-Bliley Act.

If enacted, the bill would set a national standard for notifying individuals when cybersecurity intrusions occur and is believed to reduce regulatory burden for CUs.

“For those of our members who operate across state lines and may have to deal with different standards, having a national standard with breach notification would reduce their compliance or regulatory burden,” said Eli Joseph, deputy chief advocacy officer at the Credit Union National Association, which supported the legislation.

Having passed the House Financial Services Committee on a 32-20 vote, Rep. Blaine Luetkemeyer's (R-Mo.) bill also has the support of the National Association of Federally-Insured Credit Unions.

In a statement, NAFCU Vice President of Legislative Affairs Brad Thaler called the bill “a good first step” because it “ensures a uniform breach notification upheld by financial regulators.”

Trades divided

Despite CUNA and NAFCU’s enthusiasm, there are larger questions remaining surrounding whether or not this bill and others passed with it can make it through the Senate.

And the credit union movement is far from united on this particular issue, with state CU regulators calling foul.

Since H.R. 6743 would supersede current state-level regulations, “The problem is if this overarching legislation passes and a state has better regulation pertaining to data security, that’s bad for consumers,” said Lucy Ito, president and CEO of the National Association of State Credit Union Supervisors.

If enacted, Ito continued, the bill “may provide relief to financial institutions, but it’s not going to do anything to better protect consumers.”

NASCUS also criticized the legislation for failing to hold industries outside the financial sector to the same standard banks and credit unions face in protecting consumer data from cyberattacks.

“We’d reverse our opposition if the bill would be amended to defer to more stringent state law and to extend the standards outside the financial services industry,” Ito stated.

When asked about the concerns around overriding stronger state law, Joseph responded that “no legislation is perfect,” but that CUNA “would welcome a conversation to get the standard right.”

Larger issue remains

No matter its importance to the industry, the bill appears to do little to correct the larger problem of data breaches or establish cybersecurity standards for retailers, both of which have been key priorities for credit union trade associations for the last five years. CUNA’s Joseph pushed back on that, however, suggesting that H.R. 6743 can help continue the conversation surrounding data security for financial institutions.

As part of that process, CUNA has relaunched Stop the Data Breaches in order to further educate credit union members about the risks FIs face from cyberattacks.

According to Cimcor, a self-described industry leader in security software solutions, the healthcare industry is most susceptible to data breaches, followed by manufacturing, financial services, government and transportation.