Newsroom

Credit bureaus should be examined for compliance with Gramm-Leach-Bliley Act (GLBA) data security standards, negligent entities should be held financially liable for any breach-related losses, and depository institutions and consumers should be notified of breaches in a timely manner, wrote NAFCU's Brad Thaler ahead of a House Oversight and Reform subcommittee hearing today.

Thaler, NAFCU's vice president of legislative affairs, sent the letter ahead of today's hearing focused on improving cybersecurity at consumer reporting agencies. He said the 2017 Equifax data breach highlights the need for a national data security standard for entities that collect and store consumers' personal and financial information that are not already subject to the same stringent requirements as depository institutions.

"Credit unions suffer steep losses in re-establishing member safety after a data breach like the one at Equifax and are often forced to absorb fraud-related losses in its wake," Thaler wrote. "Credit unions and their members are victims in this breach, as members turn to their credit union for answers and support when such breaches occur. As not-for-profit cooperatives, credit union members are the ones that are ultimately impacted by these costs."

These concerns support NAFCU's call for holding negligent entities financially liable and timely notification of data breaches, though any new rules should not add to credit unions' compliance burden, Thaler argued.

NAFCU has long been active with lawmakers on the data security issue, and was the first group after the massive 2013 Target data breach to call for a legislative solution to reform the nation's data security system. It is also a key pillar of the association's 2019 advocacy priorities.