Data security and how private data is used seems to be on the minds of a lot of people in Washington lately. Last week, we saw the heads of firms like Facebook and Twitter testify before Congress on a number of digital privacy issues, and a financial institution breach notification bill introduced. This is good progress.
For credit unions, data security has been top of mind for a long time now, as hundreds of credit unions have spent millions of dollars re-issuing payment cards and reimbursing fraudulent purchases due to retailer data breaches.
The strict data security standards that credit unions must comply with under the Gramm-Leach-Bliley Act cannot protect consumers from lax data security standards by merchants. Now that data security is at the forefront for policymakers here in D.C., it’s time for credit unions to make our voices heard and tell Congress we need data breach requirements that work for anyone that handles sensitive consumer information.
This month and throughout the fall, credit unions from around the country are traveling to Washington to “hike the hill” and many more will be meeting with their representatives in their home district.
As the discussion on data security evolves, members of Congress need to hear what credit union priorities are, from credit unions themselves.
The bill that’s being considered in the House Financial Services Committee from Rep. Blaine Luetkemeyer (R-MO) provides credit unions regulatory relief and helps consumers by ensuring a national data breach notification is in place for financial institutions. Consistency and complying with a single notification requirement is a win for consumers and credit unions, but CUs and their members need more.
Meaningful data breach legislation should adhere to the following principles:
- A flexible, scalable standard equivalent to what is in the Gramm-Leach-Bliley Act for data protection that factors in the size and complexity of an organization, the cost of available tools to secure data and the sensitivity of the personal information an organization holds. It should also guarantee that small organizations are not burdened by excessive requirements;
- A GLB-equivalent notification regime requiring timely notice to impacted consumers, law enforcement and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm;
- Consistent, exclusive enforcement of the new data security and notification national standard by the Federal Trade Commission and state attorneys general;
- Clear preemption of the existing patchwork of often conflicting and contradictory state laws for all entities that follow this national data security and notification standard.
This kind of legislation would require retailers to protect valuable consumer information the same way credit unions are already required to. Lawmakers need to know that credit unions can’t afford to foot the bill for any more data breaches while those responsible for the breaches aren’t crushed by the consequences.
As we head toward a new Congress in January, we have the ability to keep this issue at the top of policymakers’ minds and, more importantly, we have a chance to shape this conversation going forward.
