CUNA joined with other financial trade associations Tuesday to write to Congress to correct a number of falsehoods contained in a recent retailer communication to Congress on data breaches. Retailers are attempting to push back against strong national data security standards, despite a lack of such standards causing major data breaches that bring additional costs to credit unions.
CUNA strongly supports draft data breach legislation that would enact a strong security and notification standard and shift the costs of a data breach to the entity that caused it.
Part of the retailers’ communications improperly characterizing NCUA’s requirements and financial institution guidance as not mandatory, despite heavy regulations and standards for financial institutions spelled out in the Gramm-Leach-Bliley Act, which was enacted in 1999.
NCUA, and other banking regulators have in place regulations and guidance for financial institutions to safeguard consumer data, report breaches to the regulators and provide notice to consumers. All financial institutions must have data breach consumer notification programs, which are reviewed by regulators during examinations.
Regulators can impose penalties including fines on a financial institution for not having a proper data breach response program in place.
Retailers, however, Retailers are not subject to federal data security laws or federal notification requirements. Furthermore, they are not examined for data security compliance with any law or other requirement.