Newsroom
NAFCU supports enhanced data security protections under safeguards proposal
NAFCU's Andrew Morris shared the association's support of the Federal Trade Commission's (FTC) efforts to modernize its Safeguards Rule in a letter sent Friday. The proposed amendments would amend the FTC's implementation of the Gramm-Leach Bliley Act's (GLBA) safeguards provisions by aligning data security standards for nonbank financial companies more closely with those already established by prudential regulators.
"Although federally-insured credit unions are not subject to the FTC's Safeguards Rule, they follow regulations and guidance promulgated by the National Credit Union Administration (NCUA) and the Federal Financial Institutions Examination Council (FFIEC)," wrote Morris, NAFCU's senior counsel for research and policy. "Given the severity and extent of recent data breaches at financial companies subject to the FTC's jurisdiction and Safeguards Rule, such as Equifax, it is imperative to adopt more comprehensive security requirements."
Morris acknowledged that the proposed incident response plan is an improvement in regards to cyber hygiene, but recommended that the FTC consider additional reporting and notification requirements to "ensure that security breaches can be contained and mitigated as quickly as possible."
"NAFCU considers mandatory reporting and disclosure essential in any federal data security standard and has, for many years, advocated for legislation that would hold merchants and other entities handling financial information accountable for the consequences of data breaches," Morris said.
NAFCU also sought clarification of the applicability of the Safeguards Rule to accommodate existing regulatory frameworks for data security.
NAFCU has long been active with lawmakers on the issue of data security and was the first group after the massive 2013 Target data breach to call for a legislative solution to reform the nation's data security system. The association has cybersecurity compliance resources available online.