Data Security

Our Position

Data security breaches are a serious problem for both consumers and businesses. Currently, credit unions are subject to strong data security standards established by Congress and federal regulators. Unfortunately, merchants and retailers are not subject to the same federal requirements and many of them follow their own data security standards. However, high profile breaches at numerous retailers proves that much more needs to be done to protect consumers' financial data. That is why we are fighting for a comprehensive federal data protection standard to ensure that all entities that handle consumer information, not just financial institutions, are keeping consumers’ data safe.

NAFCU recognizes that a legislative solution to establish such a standard is a complex issue, and thus we have established a set of guiding principles to help define key issues credit unions would like to see in any comprehensive cyber and data security standard. These principles include:

  • Payment of Breach Costs by Breached Entities: NAFCU asks that credit union expenditures for breaches resulting from card use be reduced. A reasonable and equitable way of addressing this concern would be to enact legislation to require entities to be accountable for costs of data breaches that result from negligence on their end.
  • National Standards for Safekeeping Information: It is critical that sensitive personal information be safeguarded at all stages of transmission. Under the Gramm-Leach-Bliley Act (GLBA), credit unions and other depository institutions are required to meet certain criteria for safekeeping consumers’ personal information and are held accountable if those criteria are not met through examination and penalties. Unfortunately, there is no comprehensive regulatory structure akin to the GLBA that covers other entities who collect and hold sensitive information. NAFCU strongly supports the passage of legislation requiring any entity responsible for the storage of consumer data to meet standards similar to those imposed on depository institutions under the GLBA.
  • Data Security Policy Disclosure: Many consumers are unaware of the risks they are exposed to when they provide their personal information. NAFCU believes this problem can be alleviated by simply requiring merchants to post their data security policies at the point of sale if they take sensitive financial data. Such a disclosure requirement would come at little or no cost to the merchant but would provide an important benefit to the public at large.
  • Notification of the Account Servicer: The account servicer or owner is in the unique position of being able to monitor for suspicious activity and prevent fraudulent transactions before they occur. NAFCU believes that it would make sense to include entities such as financial institutions on the list of those to be informed of any compromised personally identifiable information when associated accounts are involved.
  • Disclosure of Breached Entity: NAFCU believes that consumers should have the right to know which business entities have been breached. We urge Congress to mandate the disclosure of identities of companies and merchants whose data systems have been violated so consumers are aware of the ones that place their personal information at risk.
  • Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the violation of existing agreements and law by those who retain payment card information electronically. Many entities do not respect this prohibition and store sensitive personal data in their systems, which can be breached easily in many cases.
  • Burden of Proof in Data Breach Cases: In line with the responsibility for making consumers whole after they are harmed by a data breach, NAFCU believes that the evidentiary burden of proving a lack of fault should rest with the negligent entity who incurred the breach.

NAFCU's work on data security and cybersecurity is ongoing and our team is committed to ensuring credit unions have the resources they need to address the cybersecurity environment financial institutions face.