Removing Barriers Blog

CUNA writes to Senate Banking prior to hearing on data privacy
Posted June 11, 2019 by CUNA Advocacy

Prior to the Senate Banking Committee hearing on Data Brokers and the Impact on Financial Data Privacy, Credit, Insurance, Employment and Housing, CUNA wrote the Chairman Crapo and Ranking Member Brown continuing advocacy efforts on data security. Although the Gramm-Leach-Bliley Act has served the financial services industry well, Congress must work with the administration to finally address consumer data privacy in a meaningful way.

“The current gaps in data protection and privacy laws hurt consumers and businesses as information is misused by criminals and other actors with malicious intent. Financial institutions are at the vanguard for misuse of stolen data,” the letter reads. “Although data security is a major issue for credit unions, we realize the problem is much bigger than the financial services industry with robust privacy and data security requirements for all industries becoming increasingly necessary.

“The cornerstone of any new privacy requirements should be robust data security requirements for business and other entities that collect consumers’ personal information. The current patchwork of laws is complex even at the Federal level,” it adds.

CUNA believes any data privacy legislation must:

  • Cover both privacy and data security. There cannot be privacy of data without protection from loss due to breach or other types of theft;
  • Cover all institutions, not just tech companies, credit-rating agencies and other narrow sectors of the economy. Any company that collects, uses or shares personal data or information has the opportunity to misuse the data or lose the data through breach.
  • Base data security requirements on protection of data to prevent theft and misuse. Notification or disclosure after the fact are important but are not the stopping point for adequate protection. By the time a breach is disclosed, harm could already have befallen hundreds of thousands, if not millions, of individuals, so robust protection is paramount for any new requirements.
  • Provide mechanisms to address the harms that result from privacy violations and security violations, including data breach. Individuals and companies should be afforded a private right of action to hold those that violate the law accountable, and regulators should have the ability to take action against entities that violate the law; and
  • Preempt state requirements to simplify compliance and create equal expectation and protection for all consumers. Just like moving away from the sector specific approach, the goal should be to create a national standard for all to follow.