Strong data security standard with ‘clear, robust mechanisms’ needed

November 21, 2022

CUNA strongly supports the enactment of a comprehensive national data security and data privacy standard, it wrote to the Federal Trade Commission (FTC) Monday. CUNA sent its comments in response to an Advance Notice of Proposed Rulemaking on commercial surveillance and data security.

“Credit unions strongly support the enactment of a comprehensive national data security and data privacy standard that includes robust security requirements that apply to all who collect or hold personal data and is preemptive of state laws,” the letter reads. “We firmly believe there can be no data privacy until there is data security. Securing and protecting consumer data is important not only for consumers’ individual financial health but as a further safeguard against rogue international agents and interference by foreign governments.”

CUNA also called on the FTC to exempt credit unions—as followers of Gramm-Leach-Bliley Act (GLBA) standards—from this rulemaking.

“Financial institutions comply with a rigorous, comprehensive data security and privacy framework and, in fact, compliance is an element of fundamental safety and soundness for the overall banking system,” it reads. “Additionally, it must not be overlooked that the financial industry is the only sector subject to ongoing examination to ensure compliance with these security and privacy standards.”

The letter also reiterates CUNA’s principles for data security and privacy policy:

  • Data privacy and data security are hand in glove and any new comprehensive regulatory framework should include both standards.
  • The new rule should encompass all businesses, institutions, and organizations with a standard very similar to that currently in place for financial institutions under GLBA.
  • Breach disclosure and consumer notification are important but will not enhance security or privacy alone.
  • Hold entities that jeopardize consumer privacy and security accountable through private right of action and regulatory enforcement.
  • Recognize this issue as a national security concern, as data breaches that expose consumer PII are more and more often perpetrated by foreign governments and other rogue international entities.