news.cuna.org/articles/122431-pii-misuse-is-national-security-issue-impacting-consumers
Data_center_119997

Comprehensive data security, privacy framework must be established

April 27, 2023

CUNA urged Congress to take action on data security in order to ensure consumers’ data privacy, and submitted a letter outlining concerns in advance of a Thursday data privacy hearing, held by a Senate Energy and Commerce subcommittee.

“Credit unions strongly support the enactment of a national data security and data privacy law that includes robust security standards that apply to all who collect or hold personal data and is preemptive of state laws,” the letter reads. “We firmly believe that there can be no data privacy until there is strong data security.”

CUNA noted the more than 10,000 data breaches exposing nearly 12 billion consumer records since 2005, costing credit unions – and their members -  hundreds of millions of dollars, and jeopardizing consumers’ privacy and financial security.

“While this extensive legal and regulatory examination and enforcement framework ensures that credit unions robustly protect consumers’ personal financial information, this safety net only extends to financial institutions,” it adds. “As consumers’ personal information is disseminated to third parties, those protections end and credit unions and their members are adversely impacted by the lax data security standards at other businesses. These loopholes must end and a comprehensive data security and privacy framework that covers all entities that that collect consumer information and is preemptive of state laws must be established and this standard must hold those who jeopardize that data accountable through enforcement.”

CUNA called on the committee and Congress to follow the following principles for federal privacy and data security legislation:

  • New privacy and data security laws should keep financial services’ robust data and privacy requirements under the Gramm-Leach-Bliley Act in place.
  • Any new privacy law should include both data privacy and data security standards.
  • The new law should cover all businesses, institutions and organizations.
  • Any new law should preempt state requirements to simplify compliance and create equal expectation and protection for all consumers.
  • Breach notification or disclosure requirements are important, but they are akin to sounding the alarm after the fire has burned down the building.
  • The law should provide mechanisms to address the harms that result from privacy violations and security violations, including data breach.
  • Recognize this issue for what it is: a national security issue.