WASHINGTON (1/26/15)--A group of financial trade organizations, including the Credit Union National Association, has written to Congress with a set of principles to serve as a guide for potential data security legislation.
President Barack Obama has spoken of the need for such legislation, and the House subcommittee on commerce, manufacturing and trade will host a hearing this week examining what sound data breach legislation should look like.
CUNA President/CEO Jim Nussle said the joint letter--with credit unions and banks uniting in a single message--serves to underscore the importance that legislative action be taken to plug the gaps in data security rules that apply to merchants.
The letter reads, "Some industries--including the financial industry--are required by law to develop and maintain robust internal protections to combat and address criminal attacks, and are required to protect consumer financial information and notify consumers when a breach occurs within their systems that will put their customers at risk.
"The same cannot be said for other industries, like retailers, that routinely handle this same information and increasingly store it for their own purposes."
The letter is signed by CUNA, the American Bankers Association, the Consumer Bankers Association, the Financial Services Roundtable, the Independent Community Bankers Association, the National Association of Federal Credit Unions and The Clearing House.
The list of principles the organizations believe should serve as a guide when drafting data breach legislation are:
- Strong national data protection and consumer notification standards with effective enforcement provisions that are applicable to any party with access to important consumer financial information;
- Banks and credit unions are already subject to robust data protection and notification standards. These Gramm-Leach-Bliley Act requirements must be recognized;
- Pre-emption of inconsistent state laws and regulations for strong federal data protection and notification standards;
- In the event of a breach, the public should be informed where it occurred as soon as reasonably possible to allow consumers to protect themselves from fraud. Credit unions and banks should be able to inform their customers and members about the information regarding the breach, including the entity at which the breach occurred; and
- Requiring the costs of data breaches to be borne by the entity that incurs the breach.
Financial institutions are subject to significant federal requirements regarding protection of information and consumer notification, and they are also subject to federal oversight, examination and sanction authority.
"This extensive legal, regulatory examination and enforcement regime ensures that financial institutions robustly protect American's personal financial information," the letter reads. "In contrast, retailers that accept electronic payments face no similar requirements or oversight, and as a result millions of American consumers' personal financial information has been compromised in recent years."
According to surveys conducted by CUNA on the
breaches, those events cost credit unions roughly $60 million and $30 million, respectively.