The Data Security Act of 2023 is a “mixed bag” for credit unions, CUNA wrote to the House Financial Services Committee. The committee marked up several pieces of legislation starting Tuesday, including the Data Security Act of 2023.

“We support the goals of this legislation when considered as a substitute for the financial institution provisions in comprehensive data privacy legislation that the Energy and Commerce Committee may consider this year,” the letter reads. “However, we cannot support harmful provisions contained in this legislation, such as section § 501(c) on data usage, which would provide an extraordinary compliance burden on credit unions.”

CUNA supports federal requirements to protect information; federal requirements to notify consumers: of a data breach; strong federal oversight and examination; and strong federal sanction authority.

The letter recommends additions of provisions concerning:

• Recognition of the burden on smaller financial institutions.
• Updated definition of a financial institution to include data aggregators.
• Preemption of conflicting state laws.
• Maintaining the status quo on enforcement through our prudential regulators.

“CUNA has significant concerns about the inclusion of § 501(c) which can be interpreted as an “opt-in” for the use of all nonpublic personal information,” the letter reads. “Additionally, the § 502(e) exceptions apply to § 502 for collection and disclosure but not for use. As currently proposed, credit unions would have to obtain the affirmative consent of their members for any use of data whenever they provide basic financial services.

This creates an unwieldy, unsustainable system for credit unions that carefully manage existing uses of consumer data. We ask that this section be removed entirely from the bill,” it adds.