Newsroom

Retailer groups' data security arguments are "inaccurate and misleading" given their members "are not covered by any federal laws or regulations that require them to protect data and notify consumers when it is breached," NAFCU and six other financial trades told House and Senate leaders Wednesday.

"National consumer notification alone – as advocated by [a] November 6th letter [from retailers] – will not solve this problem," the groups said jointly in a letter sent Wednesday to Senate Majority Leader Harry Reid, D-Nev., Senate Minority Leader Mitch McConnell, R-Ky., House Speaker John Boehner, R-Ohio, and House Democratic Leader Nancy Pelosi, D-Calif. "It is only when coupled with the development of strong internal data protection standards and robust oversight that the retail community will find itself in a better position to protect consumers and their confidential personal financial information from criminal abuse."

The retailers' Nov. 6 letter to House and Senate leaders focused on the need for national breach notification standards. Financial trades, in their response Wednesday, said while retailers as well as financial institutions have been victims of data breaches, only financial institutions "are required by federal law and regulation to protect [consumer] information and notify consumers when a breach occurs that will put them at risk."

These requirements for financial institutions have been in place since 1999 under the Gramm-Leach-Bliley Act. Since 1999, regulators have strengthened these, subjecting financial institutions to:

• requirements for consumer notification when there is a data breach;
• extensive federal oversight and regular examinations of compliance with data protection and notice requirements;
• potential fines of up to $1 million per day for compliance violations.

Bringing retailers under a similar regulatory framework financial institutions face without creating additional burdens for credit unions, is a key tenet of NAFCU's five-point plan for regulatory relief. NAFCU has been pressing hard for passage of legislation to set national data security and breach notification standards for retailers.

Wednesday's letter was signed by NAFCU, CUNA, American Bankers Association, The Clearing House, Consumer Bankers Association, Financial Services Roundtable and Independent Community Bankers of America.