February 26, 2019

NAFCU's Thaler reiterates data security principles to House panel

onlinedatasecurityAhead of today's House Energy and Commerce subcommittee hearing on consumer privacy and data security, NAFCU Vice President of Legislative Affairs Brad Thaler sent a letter reiterating NAFCU's call for a stronger national data security standard and to urge that negligent companies – rather than consumers or credit unions – be liable for losses.

The hearing, "Protecting Consumer Privacy in the Era of Big Data," held by the Subcommittee on Digital Commerce and Consumer Protection begins at 10 a.m. Eastern today.

In his letter to Subcommittee Chairwoman Janice Schakowsky, D-Ill., and Ranking Member Cathy McMorris Rodgers, R-Wash., Thaler wrote that other financial entities already subject to parts of the Gramm-Leach-Bliley Act (GLBA) should be subject to the same regulatory requirements as depository institutions.

Thaler also outlined guiding principles NAFCU and credit unions would like to see incorporated in data security legislation, primarily to ensure consumers are informed of what data is retained and how it's protected, timely disclosure of breaches, and that negligent entities are held responsible when a data breach occurs on their end.

“Under the GLBA, credit unions and other depository institutions are required to meet certain criteria for safekeeping consumers’ personal information and are held accountable if that criteria is not met through examination and penalties.  Unfortunately, there is no comprehensive regulatory structure akin to the GLBA that covers other entities who collect and hold sensitive information.”  Thaler wrote. “NAFCU strongly supports the passage of legislation requiring any entity responsible for the storage of consumer data to meet standards similar to those imposed on depository institutions under the GLBA.”

NAFCU has been a leading advocate for a national data security standard that holds all entities that handle personal financial data to the same standards as credit unions and other depository institutions under the GLBA. It has repeatedly called for action to ensure that credit unions do not bear the cost of negligent data practices by entities like Equifax.