Data Privacy and Security
Technology and the role of data in our economy have significantly changed over the last two decades, but federal law has not kept pace.
Our Position
NAFCU advocates for a comprehensive federal data privacy and security standard that covers all entities that collect and store consumer information. In the absence of a national standard, many states have passed their own privacy and data security laws, leaving credit unions to comply with a patchwork of state privacy laws in addition to the existing, strong standards under the Gramm-Leach-Bliley Act, its implement regulations, and examiner expectations. Without a national data security standard for merchants and retailers who handle member’s financial data, credit unions bear the burden of merchants’ security practices as they incur steep losses in order to reestablish member safety. High profile scandals related to information sharing and breaches at numerous retailers proves that much more needs to be done to protect the privacy and security of consumers' financial data.
How This Impacts You
Privacy and data security requirements are becoming increasingly fragmented as multiple states establish their own privacy frameworks. Credit unions may find themselves facing multiple conflicting requirements at the federal and state levels, resulting in expensive and confusing compliance burden. While these frameworks may contain liability or notice provisions regarding breaches, they rarely establish cybersecurity standards similar to the standards applicable to credit unions, continuing to leave retailers and merchants to determine requirements for themselves. A recent NAFCU survey reported that the number of credit union employees devoted to IT compliance has nearly doubled since 2010. Furthermore, a large majority (82 percent) of survey respondents reported that they were impacted by a local merchant breach within the past two years.
Support Legislation to Create a National Data Security Standard
Urge your representatives to support a strong national standard of data security for all entities that handle sensitive consumer financial information.