CUNA pushes for data breach legislation in letter to Congress

July 30, 2018


CONTACT: Lauren Williams – CUNA Communications; (202) 626-7642; 

Washington, D.C. (July 30, 2018) – Mitigating losses from merchant data breaches remains a top credit union priority. Credit Union National Association (CUNA) wrote to Rep. Bob Latta (R-Ohio), chair of the House Energy and Commerce subcommittee on digital commerce and consumer protection Friday.  

Losses to credit unions from merchant data breaches impact credit unions in many ways. Although credit unions bear the direct financial losses from fraud resulting from a merchant data breach, members bear a cost as owners of credit unions because credit unions are member-owned organizations. Due to credit unions’ ownership structure, any loss to a credit union from a data breach impacts members directly as their member benefits are directly decreased by losses from the breaches. These losses can be exasperated by credit unions membership requirements that can create concentrations of memberships and lead to a more impactful data breach. 

“CUNA favors data security legislation that places liability on a business that loses consumer information through a data breach and creates a mechanism for those harmed by the breach to recover losses from the breached entity. Although we believe breached entities should be responsible to others harmed from the breach, we believe Congress should consider how a member of a member-owned financial institution is harmed in multiples ways by a data breach,” the letter reads. “Absent specific liability requirements, CUNA would not support legislation that diminishes a credit unions ability to recover through common law or other state provisions.” 

The letter highlights several other priorities including:  

  • A flexible, scalable standard equivalent to what is in the Gramm-Leach-Bliley Act (GLBA) for data protection; 
  • A GLBA equivalent notification regime requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm; 
  • Consistent, exclusive enforcement of the new data security and notification national standard by the Federal Trade Commission (FTC) and state Attorneys General; and  
  • Clear preemption of the existing patchwork of often conflicting and contradictory state laws for all entities that follow this national data security and notification standard. 

CUNA and other financial trade associations stressed the importance of meeting certain requirements to create a robust data security legislation that will provide adequate consumer protection for those harmed by data breaches.  


About CUNA 

Credit Union National Association (CUNA) is the only national association that advocates on behalf of all of America’s credit unions, which are owned by 110 million consumer members. CUNA, along with its network of affiliated state credit union leagues, delivers unwavering advocacy, continuous professional growth and operational confidence to protect the best interests of all credit unions. For more information about CUNA, visit