December 04, 2019

NAFCU outlines 6 data privacy principles in new white paper

data securityAs lawmakers – at both the federal and state level – consider new privacy legislation regarding consumers' data privacy, NAFCU has developed a new white paper that outlines six principles to support its leading advocacy efforts on the issue.

Through the detailed white paper, NAFCU emphasizes the need "for a comprehensive federal data privacy standard that protects consumers, harmonizes existing federal data privacy laws, and preempts state privacy laws." The association encourages Congress to adopt six principles to address these goals in any federal privacy legislation:

  1. A comprehensive national data security standard covering all entities that collect and store consumer information. NAFCU believes that financial institutions and non-financial institution entities – including fintech, retailers, and others that handle personal information – should be held to the same data privacy and security standards, which currently is not the case.
  2. Harmonization of existing federal laws and preemption of any state privacy law related to the privacy or security of personal information. Without a federal standard in place, states have taken solutions into their own hands. However, NAFCU is concerned that the patchwork of privacy laws has created a confusing, burdensome environment.
  3. Delegation of enforcement authority to the appropriate sectoral regulator. For credit unions, the NCUA should be the sole regulator. NAFCU is supportive of a strong, independent NCUA as the agency is well-versed in credit unions' unique nature and is best equipped to examine credit unions for data privacy and cybersecurity compliance.
  4. A safe harbor for businesses that take reasonable measures to comply with the privacy standards. A federal data privacy bill should take a principles-based approach to its requirements based on an institution's specific operations and risk profile. Those organizations that develop and implement appropriate measures should be provided a safe harbor.
  5. Notice and disclosure requirements that are easily accessible to consumers and do not unduly burden regulated entities. NAFCU recommends incorporating requirements from the Gramm-Leach-Bliley Act (GLBA), which credit unions are already subject to, to avoid conflicting or duplicative disclosure requirements.
  6. Scalable civil penalties for noncompliance imposed by the sectoral regulator that seek to prevent and remedy consumer injury. Given the difficulty in establishing damages to consumers, which increases the likelihood of frivolous lawsuits, each regulator should have the ability to assess scalable civil penalties to remedy and prevent consumer harm.

The white paper also provides a deep dive into current privacy laws that have an impact on credit unions, including the European Union's General Data Protection Regulation to the California Consumer Privacy Act (a comparison chart of the two standards is available in the paper). NAFCU reviews ongoing state and federal legislative efforts and additional considerations for a federal privacy standard.

NAFCU – a leader in calling for a national data security standard – has advocated for safeguards to ensure negligent entities are held accountable for data exposures, consumers have control over their data and are notified of breaches in a timely manner. The association was the first group after the massive 2013 Target data breach to call for a legislative solution to reform the nation's data security system.