CUs need data breach solution, CUNA writes to Congress

July 27, 2018

Mitigating losses from data breach remains a top credit union priority, CUNA wrote to Rep. Bob Latta (R-Ohio), chair of the House Energy and Commerce subcommittee on digital commerce and consumer protection Friday. CUNA’s letter comes as CUNA launches its Stop the Data Breaches campaign under its Member Activation Program.

Data breaches that expose card information and consumers’ personally identifiable information, such as what happened with the 2017 Equifax data breach, cost credit unions and their member owners enormous sums of money and, in the case of Equifax, give criminals much personal information which can be used to directly defraud credit unions and other financial institutions.

The letter notes the multiple ways credit unions see losses due to merchant data breaches, and highlights that due to being member-owned, these credit union losses directly impact the membership as a whole.

“CUNA favors data security legislation that places liability on a business that loses consumer information through a data breach and creates a mechanism for those harmed by the breach to recover losses from the breached entity. Although we believe breached entities should be responsible to others harmed from the breach, we believe Congress should consider how a member of a member-owned financial institution is harmed in multiples ways by a data breach,” the letter reads. “Absent specific liability requirements, CUNA would not support legislation that diminishes a credit unions ability to recover through common law or other state provisions.”

CUNA priorities for data breach legislation include:

  • A flexible, scalable standard equivalent to what is in the Gramm-Leach-Bliley Act (GLBA) for data protection;
  • A GLBA equivalent notification regime requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm;
  • Consistent, exclusive enforcement of the new data security and notification national standard by the Federal Trade Commission (FTC) and state Attorneys General; and
  • Clear preemption of the existing patchwork of often conflicting and contradictory state laws for all entities that follow this national data security and notification standard.

CUNA also signed into a letter with other financial trade organizations Friday, outlining the need for data breach legislation.