Data Privacy and Security

Our Position

NAFCU  advocates for legislation establishing a comprehensive federal data privacy and security standard. This standard should  harmonize  existing  federal  data  privacy laws, preempt state privacy laws, and implement proper guardrails  for  consumers’  protection  into  the  entire  environment  rather  than just in certain  sectors. Multiple privacy frameworks at the federal and state levels creates unnecessary compliance burden for credit unions and generates confusion for consumers about the applicability of disclosures and the extent of their rights.

A national standard should also include cybersecurity standards  for  all  entities  that  collect  and  store  consumer  information, including merchants, retailers, and fintech companies. The standards of the Safeguards Rule under the Gramm-Leach-Bliley Act are robust, but only apply to financial institutions. Over the past two decades, other entities have been collecting, storing, and transmitting a tremendous amount of consumers’ financial data without the protection of enforced security standards.

For credit unions, this national data privacy and security standard should be enforced by the National Credit Union Administration (NCUA) through the imposition of scalable civil penalties. NCUA is well versed in the unique nature of credit unions and their operations, and is in the best position to examine and enforce any privacy and cybersecurity requirements for credit unions. Further, scalable civil penalties is the only proper remedy for the enforcement of such a standard. Actual damages from privacy violations are too difficult to establish by evidence. Enforcement through a personal right of action and statutory  damages  is  incredibly  ripe  for  frivolous  lawsuits. Scalable civil penalties can be used to remedy and prevent consumer harm in a meaningful way.

For more information on our position on a federal data privacy standard, please view our issue brief. Our team is committed to ensuring credit unions are not burdened by compliance with conflicting privacy frameworks and the fall-out of breaches by merchants and retailers. This is a quickly developing area of the law and NAFCU is on the forefront of the issue, ensuring the credit union perspective is being shared.