Data Privacy and Security

Recent Activity

Legislative and Regulatory Advocacy

The FY 2022 appropriations omnibus package included provisions that require companies and federal agencies to notify the Cybersecurity and Infrastructure Security Agency within 72 hours of any significant security breach and within 24 hours of a ransomware payment. This legislation was signed into law on March 15, 2022. Legislators continue to work on other measures related to cybersecurity and data privacy. In the 117th Congress, Senators Roger Wicker (R-KS) and Marsha Blackburn (R-TN) reintroduced the SAFE Data Act as S. 2499 and Representative Suzan DelBene (D-WA) introduced H.R. 1816, the Information Transparency and Personal Data Control Act. In the 116th Congress, Senators Cantwell and Wicker offered competing bills that seek to create a federal standard and provide consumers with rights to their data. In the House, Representatives Cathy McMorris-Rodgers (R-WA) and Jan Schakowsky (D-IL) released draft legislation that contains similar language to Cantwell’s bill in the Senate but is silent on a private right of action and federal preemption. In the 115th Congress, Representatives Blaine Luetkemeyer (R-MO) and Carolyn Maloney (D-NY) unveiled a draft data security bill, the Data Acquisition and Technology Accountability and Security Act, which addresses the issue from the financial services perspective. Representative Luetkemeyer also circulated a scaled-down version of the legislation that would avoid jurisdictional overlap with the House Energy and Commerce Committee. The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, and the California Privacy Rights Act (CPRA) and privacy laws in Virginia and Colorado will take effect in 2023. Other state legislatures across the country continue to consider data privacy legislation. While this issue must ultimately be resolved at the federal level, NAFCU is actively monitoring privacy legislation at the state level as well to ensure both credit unions and Congress are fully aware of the fragmented state of the law.

NAFCU continues to advocate for national data privacy and security standards that applies to all entities that collect and store personal and financial information and are not already covered by the Gramm-Leach-Bliley Act (GLBA). In January 2022 NAFCU signed a joint letter calling for national data privacy and security legislation to preempt diverging state laws, and in November 2021 NAFCU wrote to the House Financial Services Committee’s Subcommittee on Consumer Protection and Financial Institutions to articulate principles for data privacy and security legislation. In advance of a July 2021 House Small Business Committee hearing on cybersecurity, NAFCU wrote a letter advocating for the principles we would like to see in any comprehensive cyber and data security standards.

Regulatory activity has been similarly robust. In 2020, NAFCU staff met with the Federal Trade Commission’s Bureau of Consumer Protection to discuss the FTC’s enforcement of privacy laws and the future of the FTC’s Gramm–Leach–Bliley Act’s (GLBA) Safeguards Rule. In February, NAFCU wrote to Federal Financial Institutions Examination Council Chair and CFPB Director Kathy Kraninger asking the FFIEC to do what it can to clarify credit unions’ obligations under multiple state law frameworks.

NAFCU is also working hard to build coalitions to support this advocacy work.  NAFCU participates in multiple working groups advocating for federal data privacy and security standards to ensure the credit union perspective is heard. NAFCU also serves as an observer on the Uniform Law Commission’s Collection and Use of Personally Identifiable Data Committee.

NAFCU has been very involved in advocating for credit unions in the fallout of merchant breaches. For example, following the Equifax breach, NAFCU has been on Capitol Hill, meeting with, and submitting letters and legislative ideas to various committees. A number of committees are involved with the issue, including Senate Banking, Senate Commerce, Science, and Transportation, House Financial Services, and House Energy and Commerce. Recently, Senate Banking Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) solicited feedback from interested stakeholders on data privacy, protection and collection. NAFCU submitted comments answering their specific questions and outlining our principles for a data security standard.

We ask credit unions to take action and ask their members of Congress to support a national data privacy and security standard for all entities that handle sensitive financial information. NAFCU will continue to support legislation that protects consumers, provides certainty for credit unions, and holds retailers, merchants and fintech companies responsible for their own data security practices.


NAFCU has testified before Congress several times over the last few years on what we would like to see in any comprehensive data security standard.

On November 1, 2017, Debra Schwartz, President and CEO of Mission Federal Credit Union and NAFCU Board Vice Chair, testified before the House Financial Services Subcommittee on Financial Institutions and Consumer Credit at a hearing entitled "Data Security: Vulnerabilities and Opportunities for Improvement." In her testimony, Schwartz explained the impact recent data breaches have had on credit unions and steps Congress can take to hold other entities to similar standards as financial institutions.

On March 8, 2017, Chevron Federal Credit Union’s former President/CEO Jim Mooney testified before the House Small Business Committee at a hearing entitled "Small Business Cybersecurity: Federal Resources and Coordination." In his testimony, Mooney called on Congress to introduce legislation similar to the Data Security Act of 2015 to create a national standard of data security that applies to all entities in the payments chain.