Data Security

Recent Activity

Legislative and Regulatory Advocacy

NAFCU has been very involved in the post-Equifax fallout on Capitol Hill, meeting with, and submitting letters and legislative ideas to various committees. A number of committees are involved with the issue, including Senate Banking, Senate Commerce, Science, and Transportation, House Financial Services, and House Energy and Commerce. Recently, Senate Banking Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) solicited feedback from interested stakeholders on data privacy, protection, and collection. NAFCU submitted comments answering their specific questions and outlining our principles for a data security standard.

Legislators have been actively working on different data security bills, although a measure has yet to advance. In the 116th Congress, Senators Cantwell and Wicker offered competing bills that seek to create a federal standard and provide consumers with rights to their data. In the House, Representatives Cathy McMorris-Rodgers (R-WA) and Jan Schakowsky (D-IL) released draft legislation that contains similar language to Cantwell’s bill in the Senate but is silent on a private right of action and federal preemption. In the 115th Congress, Representatives Blaine Luetkemeyer (R-MO) and Carolyn Maloney (D-NY) unveiled a draft data security bill, the Data Acquisition and Technology Accountability and Security Act, which addresses the issue from the financial services perspective. Representative Luetkemeyer also circulated a scaled-down version of the legislation that would avoid jurisdictional overlap with the House Energy and Commerce Committee. In addition, the California Consumer Privacy Act (CCPA) took effect on January 1 and legislatures across the country are following California’s lead to enact data privacy legislation.

We ask credit unions to take action and ask their members of Congress to support a national data security standard for all entities that handle sensitive financial information. NAFCU will continue to support legislation to hold retailers accountable for breaches occurring on their end.


NAFCU has testified before Congress several times over the last few years on what we would like to see in any comprehensive cyber and data security standard.

On November 1, 2017, Debra Schwartz, President and CEO of Mission Federal Credit Union and NAFCU Board Vice Chair, testified before the House Financial Services Subcommittee on Financial Institutions and Consumer Credit at a hearing entitled "Data Security: Vulnerabilities and Opportunities for Improvement." In her testimony, Schwartz explained the impact recent data breaches have had on credit unions and steps Congress can take to hold other entities to similar standards as financial institutions.

On March 8, 2017, Chevron Federal Credit Union’s former President/CEO Jim Mooney testified before the House Small Business Committee at a hearing entitled "Small Business Cybersecurity: Federal Resources and Coordination." In his testimony, Mooney called on Congress to introduce legislation similar to the Data Security Act of 2015 to create a national standard of data security that applies to all entities in the payments chain.

On October 7, 2015, Jan Roche, President and CEO of State Department Federal Credit Union and NAFCU board member, testified before the House Small Business Committee at a hearing regarding the recent EMV transition entitled, "The EMV Deadline and What it Means for Small Businesses." Roche's testimony emphasized that the best way to protect the financial system against payments fraud is through a national data security standard and urged the committee to support the Data Security Act of 2015.

On April 22, 2015, NAFCU President and CEO B. Dan Berger testified before the House Small Business Committee during a hearing entitled "Small Business, Big Threat: Protecting Small Businesses from Cyber Attacks." In his testimony, Berger detailed how credit unions have successfully minimized data breaches and why it is important that others do the same.