February 05, 2018

NAFCU offers data security principles to Senate panel

NAFCU, as a leading advocate for national data security standards, offered principles credit unions would like to see addressed in any comprehensive cyber and data security legislation ahead of a Senate subcommittee hearing on data breaches today.

The Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security is holding a hearing at 3 p.m. Eastern today to examine a 2016 data breach that occurred at ride-sharing company Uber.

In the letter to Subcommittee Chairman Jerry Moran, R-Kan., and Ranking Member Richard Blumenthal, D-Conn., NAFCU's Brad Thaler wrote that "the ever-increasing number of data breaches demonstrates the need for a national data security standard for entities that collect and store consumers' personal and financial information that are not already subject to the same stringent requirements as depository institutions."

Thaler, NAFCU's vice president of legislative affairs, outlined the association's principles for such a standard, which includes:

  • requiring entities to be accountable for related costs of data breaches that occur on their end, especially if the breach is caused by that entity's negligence;
  • requiring all entities that store consumer data to meet standards similar to those imposed on depository institutions under the Gramm-Leach-Bliley Act (GLBA);
  • requiring merchants to post their data security policies at the point of sale if they take sensitive financial data;
  • informing financial institutions of any compromised personally identifiable information when associated accounts are involved;
  • disclosing names of the companies and merchants whose data systems have been violated so consumers are aware of those that place their personal information at risk;
  • enforcing violations of existing agreements and law by those who retain payment card information electronically; and
  • having the evidentiary burden of proving a lack of fault rest with the negligent entity that incurred the data breach.

Thaler encouraged the subcommittee to work together with other Senate committees and the House to develop and advance data security legislation this year.

NAFCU has been active on data security issues in recent years. The association was the first financial trade group to call for a national data security standard for retailers in the wake of the 2013 Target breach, and last November, a NAFCU witness testified before a House Financial Services subcommittee and recommended ways to curb data breaches.