Nussle promotes legislative fixes to data security's 'weak links'

March 17, 2015

WASHINGTON (3/18/15)--Credit unions are subject to high data protection standards under the Gramm-Leach-Bliley Act, and they take their responsibility to protect their members' data seriously, CUNA President/CEO Jim Nussle said in a letter to leadership of a House Energy and Commerce subcommittee Tuesday.

"Unfortunately," the CUNA leader continued, "there is a weak link in the payments system that leaves consumers' financial data vulnerable to theft by domestic and international wrongdoers. The weak link is the absence of federal data security standards for the merchants that accept payment cards."  The Nussle letter was sent to Reps. Michael Burgess (R-Texas), the subcommittee chair, and Jan Schakowsky (D-Ill.), its ranking member.

The energy and commerce panel is conducting a hearing today on a discussion draft of the Data Security and Breach Notification Act of 2015. Nussle thanked the committee for its examination of the bill.

He informed the lawmakers that credit unions join with colleagues in the banking industry to call on Congress to enact meaningful data security legislation that incorporates the following principles:

  • trong national data protection and consumer notification standards with effective enforcement provisions must be part of any comprehensive data security regime, applicable to any party with access to important consumer financial information;
  • Banks and credit unions are already subject to robust data protection and notification standards. These Gramm-Leach-Bliley Act requirements must be recognized;
  • trong federal data protection and notification standards should preempt inconsistent state laws and regulations;
  • In the event of a breach, the public should be informed where it occurred as soon as reasonably possible to allow consumers to protect themselves from fraud. Banks and credit unions, which often have the most direct relationship with affected consumers, should be able to inform their customers and members about the breach, including the entity at which the breach occurred; and,
  • As credit unions and banks too often bear a disproportionate burden in covering the costs of breaches occurring beyond their premises, all parties must share in protecting consumers. The costs of a data breach should ultimately be borne by the entity that incurs the breach.

Nussle noted that there are a number of congressional committees exploring remedies to merchant data breaches, but given the "very direct and detrimental impact these breaches have on credit unions and banks," CUNA is asking the House Financial Services Committee to take a leadership role in this effort.

CUNA also joined forces with other trade groups in a separate joint letter to the subcommittee leaders to make very similar points in unisons.  In addition to CUNA, the letter was also signed by the American Bankers Association, The Clearing House, Consumer Bankers Association, Financial Services Roundtable, Independent Community Bankers of America and the National Association of Federal Credit Unions.