CUNA Chief Advocacy Officer Ryan Donovan wrote to 535 Congressional offices Thursday continuing CUNA’s call for data privacy and security legislation. Thursday’s outreach is part of several efforts for CUNA on the topic of data privacy this week, CUNA also wrote to the House and Senate Commerce Committees for the record of their data privacy hearings.

Donovan called on Congress to require all entities handling data to meet strict data security requirements, creative a national standard that pre-empts the current patchwork of regulations and protection American interests from cyberthreats that cold be linked to foreign entities seeking to disrupt U.S. interests.

CUNA’s letters to the commerce committees this week state:

• Any new privacy law should cover both privacy and data security. There cannot be privacy of data without protection from loss due to breach or other types of theft;
• The law should cover all institutions, not just tech companies, credit-rating agencies, and other narrow sectors of the economy. Any company that collects, uses or shares personal data or information has the opportunity to misuse the data or lose the data through breach;
• Data security requirements should be based upon protection of data to prevent theft and misuse;
• Notification or disclosure after the fact are important but are not the stopping point for adequate protection. By the time a breach is disclosed, harm could already have befallen hundreds of thousands, if not millions, of individuals, so robust protection is paramount for any new requirements;
• A law should provide mechanisms to address the harms that result from privacy violations and security violations, including data breach. Increasingly courts are recognizing rights of action for individuals and companies (including credit unions). However, individuals and companies should be afforded a private right of action to hold those that violate the law accountable, and regulators should have the ability to take action against entities that violate the law; and
• Any new law should preempt state requirements to simplify compliance and create equal expectation and protection for all consumers. Just like moving away from the sector specific approach, the goal should be to create a national standard for all to follow.