CUNA, trades call for legislation w/ strong merchant security reqs

July 31, 2018

Major merchant data breaches continue to put millions of consumers at risk, CUNA and other financial trade organizations wrote in a joint letter Tuesday. The joint letter was sent to Rep. Bob Latta (R-Ohio), chairman of the House Energy and Commerce subcommittee, and follows up a letter CUNA wrote last week on the same topic.

"Data breaches impose significant costs on financial institutions of all sizes because our first priority is to protect consumers and ensure that they have no liability for fraud that typically follows a breach.  Our members provide relief to victims of breaches, regardless of where the breach occurs," the letter reads. "In our view, it is critical for your committee and the [House] Financial Services Committee to collaboratively move forward on legislation that puts in place strong national data security and breach notification requirements and eliminates the current inconsistent patchwork of state law." 

The letter highlights principles the trades believe should be part of any data breach bill:

  • A flexible, scalable standard equivalent to what is in the Gramm-Leach-Bliley Act (GLBA) for data protection that factors in the size and complexity of an organization, the cost of available tools to secure data and the sensitivity of the personal information an organization holds. It should also guarantee that small organizations are not burdened by excessive requirements;
  • A GLBA equivalent notification regime requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm;
  • Consistent, exclusive enforcement of the new data security and notification national standard by the Federal Trade Commission (FTC) and state Attorneys General; and
  • Clear preemption of the existing patchwork of often conflicting and contradictory state laws for all entities that follow this national data security and notification standard.

The letter notes that this robust, yet flexible and scalable data standard, should be coupled with effective oversight and enforcement procedures to ensure accountability and compliance.

CUNA launched its latest Member Activation Program campaign, Stop the Data Breaches, last week to push credit unions to activate their members to contact Congress about the need for data breach legislation.