Newsroom

January 03, 2018

NAFCU continues push for data security legislation

NAFCU Vice President of Legislative Affairs Brad Thaler, in a letter yesterday, outlined credit unions' guiding principles for Congress to keep in mind as it works on a legislative solution for data and cybersecurity standards. NAFCU is a leading advocate for a national data security standard for all entities that collect and hold consumers' personal and financial information.

Thaler was responding to a request for comments from Reps. Greg Walden, R-Ore., and Bob Latta, R-Ohio, on data breach legislation. Walden is the chairman of the Energy and Commerce Committee, and Latta is the chairman of the Subcommittee on Digital Commerce and Consumer Protection.

NAFCU's guiding principles for data security legislation, as outlined in Thaler's letter, include:

  • requiring entities to be accountable for related costs of data breaches that occur on their end, especially if the breach is caused by that entity's negligence;
  • requiring all entities that store consumer data to meet standards similar to those imposed on depository institutions under the Gramm-Leach-Bliley Act (GLBA);
  • requiring merchants to post their data security policies at the point of sale if they take sensitive financial data;
  • informing financial institutions of any compromised personally identifiable information when associated accounts are involved;
  • disclosing names of the companies and merchants whose data systems have been violated so consumers are aware of those that place their personal information at risk;
  • enforcing violations of existing agreements and law by those who retain payment card information electronically; and
  • having the evidentiary burden of proving a lack of fault rest with the negligent entity that incurred the data breach.

Thaler also urged the Energy and Commerce Committee to work collaboratively with the House Financial Services Committee to advance legislation. In November, the association testified before a House Financial Services subcommittee and recommended ways to curb data breaches.

NAFCU previously joined with six other financial industry trades in submitting a joint letter to Walden and Latta calling for a strong national data security standard and breach notification requirements.

NAFCU was the first financial trade group to call for a national data security standard for retailers in the wake of the 2013 Target breach.