Depository institutions have been subject to a national standard on data privacy and security since the passage of the Gramm-Leach-Bliley Act (GLBA) over two decades ago. The GLBA includes both a Financial Privacy Rule, implemented by the Bureau’s Regulation P, and a Safeguards Rule, implemented for credit unions in NCUA’s Part 748. In combination, these two regulations establishes robust protections for the privacy and safety of members’ financial information. However, other entities who handle consumer financial data do not have similarly-enforced standards. This gap in legal and regulatory requirements, enforcement and examination has resulted in real harm to credit unions and consumers.
In the absence of comprehensive privacy protection laws, the discovery of some data sharing business practices, such as those uncovered in the Facebook-Cambridge Analytica scandal, have highlighted the need for consistent protections surrounding the sale and use of consumer’s personal information. Other nations have passed comprehensive privacy laws, for example, the European Union (EU) passed the General Data Protection Regulation (GDPR). The GDPR, which took effect in May 2018, was designed to protect the privacy of EU residents but applies to all companies processing or controlling the personal information of EU residents, regardless of the business’s location. In the absence of similar federal action in the U.S., states have moved to implement their own privacy laws. In particular, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The CCPA applies to certain businesses serving residents of California. The CCPA generally offers California consumers new statutory rights to learn what personal information businesses have collected, opportunities to opt-out of the sale of their personal information, and protection from “discrimination” in the form of reduced service. While the CCPA exempts information collected pursuant to the GLBA, it does not exempt GLBA-covered entities, raising complex questions regarding the coverage of these laws. Other states are introducing their own privacy legislation, further confusing credit unions on compliance requirements. Credit unions seeking to manage data privacy obligations from multiple jurisdictions face an enormous operational challenge.
Further, ongoing cyberattacks and frequent data breaches, and the cost of dealing with these issues has hindered credit unions’ ability to serve their members. Credit bureaus, such as Equifax, handle millions of consumer financial records and are subject to the GLBA, but they remain unexamined for compliance with security standards and the Federal Trade Commission's implementing regulations for credit reporting bureaus are less stringent than those applicable to credit unions and banks. Other entities, such as retailers, merchants and fintech companies who regularly handle large volumes of financial data, are not legally subject to security requirements at all, let alone regularly examined for the sufficiency of their practices. When one of these organizations suffers a breach, it is the credit union which ultimately bears the cost of reissuing debit and credit cards and the losses associated with resulting identity theft and fraud.
NAFCU is leading the charge against a patchwork of state privacy laws to protect credit unions from the burden of compliance with multiple privacy frameworks and continues to work with Congress to establish consistent protection of consumer financial data and hold all entities accountable.