March 16, 2020

Commission data security recommendation aligns with NAFCU's principles

data securityThe new Cyberspace Solarium Commission – created under the 2019 National Defense Authorization Act – has released a report that identifies areas of improvement for the federal government's response to a major cyberattack. Of note, one key recommendation aligns with NAFCU's data privacy principles for a comprehensive, national standard.

NAFCU's principles for a federal data privacy standard include establishing a national data security standard. NAFCU, as a leader in calling for national data security standards, has urged lawmakers to consider a national data security standard for institutions that collect and store consumer information. The association was the first group after the massive 2013 Target data breach to call for a legislative solution to reform the nation's data security system.

The commission's report includes more than 75 recommendations to prepare the U.S. government for cyberattacks. Under one of the six pillars related to collaboration with the private sector, the report:

  • recommends a comprehensive national data security standard covering all entities that collect and store consumer information;
  • recommends the establishment of standards of “reasonable” care and security; and
  • recommends enforcement through civil penalties by the Federal Trade Commission.

The report also notes that "competing frameworks threaten to splinter the digital economy, confuse efforts to secure users' personal data, and imperil the ability of American companies to compete globally."

As states consider their own data security and privacy standards, NAFCU has urged the California attorney general to exempt credit unions from the state's privacy law – which took effect Jan. 1 – as the industry already complies with the federal Gramm-Leach-Bliley Act (GLBA) for consumer data security and privacy.

NAFCU President and CEO Dan Berger has asked CFPB Director Kathy Kraninger, who also leads the Federal Financial Institutions Examination Council (FFIEC), to provide interagency guidance related to the GLBA to help credit unions and other financial institutions comply with data security and privacy laws to ensure credit unions are not unnecessarily burdened by conflicting state laws.

Relatedly, Washington state's legislature last week failed to reconcile its proposed state privacy act.

NAFCU is an advocate for uniform federal standards – not a patchwork of state privacy laws.