Data Security

Our Position

The terms “data security” and “data privacy” are often used interchangeably; however, there are key differences between security and privacy. Data privacy refers to the use, sharing, and/or selling of customer data by businesses. Data security refers to protections put in place to prevent access to sensitive information by unauthorized users.

Data Security: Data security breaches are a serious problem for both consumers and businesses. Currently, credit unions are subject to strong data security standards; however, merchants and retailers are not, and many follow their own data security standards. Recent high-profile breaches affecting retailers proves that much more needs to be done to protect consumers' financial data.

As a result, NAFCU advocates for a comprehensive federal data protection standard to ensure that all entities that collect and store consumer information, not just financial institutions, are keeping consumers' data safe. We advocate that any organization handling personal information should be required to provide reliable and secure information systems just as credit unions have.

Data Privacy: In light of the mounting uncertainty and escalating compliance burdens after implementation of the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in Europe, NAFCU advocates for a comprehensive federal data privacy standard that protects consumers, harmonizes existing federal data privacy laws, and preempts state privacy laws.

The job of enforcing privacy standards should belong to the entity’s regulator in addition to providing a safe harbor for any business that takes reasonable measures to comply with the privacy standards. Data privacy must include easy to read notice and disclosure requirements that do not unduly burden businesses.

For more information on our data privacy framework, please view our issue brief.

NAFCU's work on data security and cybersecurity is ongoing and our team is committed to ensuring credit unions have the resources they need to address the cybersecurity environment financial institutions face.