Legislative and Regulatory Advocacy
Legislators have been actively working on different data security bills, although a measure has yet to advance. In the 116th Congress, Senators Cantwell and Wicker offered competing bills that seek to create a federal standard and provide consumers with rights to their data. In the House, Representatives Cathy McMorris-Rodgers (R-WA) and Jan Schakowsky (D-IL) released draft legislation that contains similar language to Cantwell’s bill in the Senate but is silent on a private right of action and federal preemption. In the 115th Congress, Representatives Blaine Luetkemeyer (R-MO) and Carolyn Maloney (D-NY) unveiled a draft data security bill, the Data Acquisition and Technology Accountability and Security Act, which addresses the issue from the financial services perspective. Representative Luetkemeyer also circulated a scaled-down version of the legislation that would avoid jurisdictional overlap with the House Energy and Commerce Committee. The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, and legislatures across the country are following California’s lead to enact data privacy legislation. While this issue must ultimately be resolved at the federal level, NAFCU is actively monitoring privacy legislation at the state level as well to ensure both credit unions and Congress are fully aware of the fragmented state of the law.
Regulatory activity has been similarly robust. In 2020, NAFCU staff met with the Federal Trade Commission’s Bureau of Consumer Protection to discuss the FTC’s enforcement of privacy laws and the future of the FTC’s Gramm–Leach–Bliley Act’s (GLBA) Safeguards Rule. In February, NAFCU wrote to Federal Financial Institutions Examination Council Chair and CFPB Director Kathy Kraninger asking the FFIEC to do what it can to clarify credit unions’ obligations under multiple state law frameworks.
NAFCU is also working hard to build coalitions to support this advocacy work. NAFCU participates in multiple working groups advocating for federal data privacy and security standards to ensure the credit union perspective is heard. NAFCU also serves as an observer on the Uniform Law Commission’s Collection and Use of Personally Identifiable Data Committee.
NAFCU has been very involved in advocating for credit unions in the fallout of merchant breaches. For example, following the Equifax breach, NAFCU has been on Capitol Hill, meeting with, and submitting letters and legislative ideas to various committees. A number of committees are involved with the issue, including Senate Banking, Senate Commerce, Science, and Transportation, House Financial Services, and House Energy and Commerce. Recently, Senate Banking Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) solicited feedback from interested stakeholders on data privacy, protection and collection. NAFCU submitted comments answering their specific questions and outlining our principles for a data security standard.
We ask credit unions to take action and ask their members of Congress to support a national data privacy and security standard for all entities that handle sensitive financial information. NAFCU will continue to support legislation that protects consumers, provides certainty for credit unions, and holds retailers, merchants and fintech companies responsible for their own data security practices.
NAFCU has testified before Congress several times over the last few years on what we would like to see in any comprehensive data security standard.
On November 1, 2017, Debra Schwartz, President and CEO of Mission Federal Credit Union and NAFCU Board Vice Chair, testified before the House Financial Services Subcommittee on Financial Institutions and Consumer Credit at a hearing entitled "Data Security: Vulnerabilities and Opportunities for Improvement." In her testimony, Schwartz explained the impact recent data breaches have had on credit unions and steps Congress can take to hold other entities to similar standards as financial institutions.
On March 8, 2017, Chevron Federal Credit Union’s former President/CEO Jim Mooney testified before the House Small Business Committee at a hearing entitled "Small Business Cybersecurity: Federal Resources and Coordination." In his testimony, Mooney called on Congress to introduce legislation similar to the Data Security Act of 2015 to create a national standard of data security that applies to all entities in the payments chain.