November 07, 2017

NAFCU continues data security push ahead of Senate hearing

Ahead of today's Senate Commerce, Science, and Transportation Committee hearing on protecting consumers from data breaches, NAFCU Vice President of Legislative Affairs Brad Thaler sent a letter reiterating NAFCU's call for a stronger national data security standard and to urge that negligent companies – rather than consumers or credit unions – are liable for losses.

The hearing, "Protecting Consumers in the Era of Major Data Breaches," begins at 10 a.m. Eastern today. Witnesses include executives from Equifax, Yahoo!, Verizon Communications Inc. and Entrust Datacard Corp. It will be the first time Equifax's current CEO will testify on the issue before Congress.

In his letter to Senate Commerce Chairman John Thune, R-S.D., and Ranking Member Bill Nelson, D-Fla., Thaler wrote that credit reporting agencies already subject to parts of the Gramm-Leach-Bliley Act (GLBA), like Equifax, should be subject to the same regulatory requirements as depository institutions.

"Additionally, the recent Equifax breach reportedly occurred through a 'known' security vulnerability that software companies had issued a patch to fix several weeks prior," Thaler wrote. "If Equifax had acted to remedy the vulnerability in a reasonable period of time, this breach may not have occurred."

Thaler noted in his letter that "credit unions suffer steep losses" after data breaches as they work to help their members recover. He requested that any negligent company, especially those that knew about a threat and failed to mitigate it prior to a breach, be held financially liable.

NAFCU has been a leading advocate for a national data security standard that holds all entities that handle personal financial data to the same standards as credit unions and other depository institutions under the GLBA. It has repeatedly called for action to ensure that credit unions do not bear the cost of negligent data practices by entities like Equifax.

Last week, NAFCU recommended ways for Congress to create a national data security standard and greatly minimize the number and impact of data breaches during the association's eighth testimony before Congress.