Strong, national data security/privacy standard only way to stop breaches

March 17, 2019

Stringent data protection requirements is a hallmark of the financial services industry, but the lack of standards for other entities mean current data security and privacy laws do not work, CUNA wrote Friday. Its letter was sent to Senate Banking Committee leadership in response to an invitation of stakeholder feedback on collection, use and protection of personal information by financial regulators and private companies.

“Congress should not expect any data privacy law it may enact to succeed in providing the desired level of privacy if such legislation does not also require all businesses and originations that collect, use and house personally identifiable information (PII) to protect that data consistent with strong, federal security requirements,” the letter reads. “A federal data security standard is essential to provide Americans with the comfort and confidence that the information that they share with businesses and organizations will remain private and secure.”

As the Senate Banking Committee has jurisdiction over financial institutions, CUNA urges it to “work with other committees and the administration to address consumer data privacy and data security so that all Americans can feel confident that their personal information is protected from breach and will not be misused by any company that possesses it.”

CUNA advanced the following principles for federal privacy and data security legislation:

  • Data privacy and data security are hand in glove: Any new privacy law should include both data privacy and data security standards. Simply put, data cannot be kept private unless it is also secured. Congress should enact robust data security standards to accompany and support data privacy standards;
  • Everyone should follow the same rules: The new law should cover all business, institutions and organizations. Consumers will lose if Congress focuses only on tech companies, credit-rating agencies, and other narrow sectors of the economy because any company that collects, uses or shares personal data or information can misuse the data or lose the data through breach;
  • There should be one rule for the road: Any new law should preempt state requirements to simplify compliance and create equal expectation and protection for all consumers. CUNA understands that some states have strong security and privacy requirements. Congress should carefully examine those requirements and take the best approaches from state law, as appropriate. A patchwork of state laws with a federal standard as a floor will only perpetuate a security system littered with weak links. The federal law should be the ceiling and the ceiling should be high. Just like moving away from the sector specific approach, the goal should be to create a strong national standard for all to follow;
  • Breach disclosure and consumer notification are important but these requirements alone won’t enhance security or privacy: Breach notification or disclosure requirements are important, but they are akin to sounding the alarm after the fire has burned down the building. By the time a breach is disclosed, harm could already have befallen hundreds of thousands, if not millions, of individuals; and
  • Hold entities that jeopardize consumer privacy and security accountable through private right of action and regulatory enforcement: The law should provide mechanisms to address the harms that result from privacy violations and security violations, including data breach. Increasingly, courts are recognizing rights of action for individuals and companies (including credit unions). However, individuals and companies should be afforded a private right of action to hold those that violate the law accountable, and regulators should have the ability to act against entities that violate the law.