Data Privacy and Security

Recent Activity

Legislative and Regulatory Advocacy

As the House Financial Services Committee and other relevant committees begin to consider data privacy and security legislation in the 118th Congress, NAFCU is continuing to advocate for federal data privacy and security legislation that respects the existing standards established by the Gramm-Leach-Bliley Act (GLBA) and does not involve a private right of action. The House Financial Services Committee’s Financial Institutions Subcommittee and the House Energy and Commerce Committee’s Innovation, Data, and Commerce Subcommittee have each held hearings to examine privacy legislation. The full House Financial Services Committee considered Chairman Patrick McHenry’s (R-NC) privacy bill, the Data Privacy Act of 2023, at a markup on February 28, 2023, where it passed by a 26-21 vote. NAFCU wrote to the Committee ahead of the markup to share the credit union perspective on this legislation and broader issues related to GLBA modernization.

NAFCU is also working hard to build coalitions to support this advocacy work, and we participate in multiple working groups advocating for federal data privacy and security standards to ensure the credit union perspective is heard.

In the previous Congress, Representatives Frank Pallone (D-NJ), Cathy McMorris Rodgers (R-WA), Jan Schakowsky (D-IL), and Gus Bilirakis (R-FL) introduced the American Data Privacy and Protection Act (ADPPA). NAFCU actively opposed this legislation, which did not provide a full exemption to entities like credit unions that are subject to data security requirements under the Gramm-Leach-Bliley Acy (GLBA). The House Energy and Commerce Committee passed the ADPPA by a 53-2 vote in July 2022, but the bill did not come up for a vote before the full House. The FY 2022 appropriations omnibus package included provisions that require companies and federal agencies to notify the Cybersecurity and Infrastructure Security Agency within 72 hours of any significant security breach and within 24 hours of a ransomware payment. This legislation was signed into law on March 15, 2022.

While this issue must ultimately be resolved at the federal level, NAFCU is actively monitoring privacy legislation at the state level as well to ensure both credit unions and Congress are fully aware of the fragmented state of the law. The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, and the California Privacy Rights Act (CPRA) and privacy laws in Virginia, Colorado, and Utah will take effect in 2023. Other state legislatures across the country continue to consider data privacy legislation.

We ask credit unions to take action and ask their members of Congress to support a national data privacy and security standard for all entities that handle sensitive financial information. NAFCU will continue to support legislation that protects consumers, provides certainty for credit unions, and holds retailers, merchants and fintech companies responsible for their own data security practices.

Testimony

NAFCU has testified before Congress several times over the last few years on what we would like to see in any comprehensive data security standard.

On November 1, 2017, Debra Schwartz, President and CEO of Mission Federal Credit Union and NAFCU Board Vice Chair, testified before the House Financial Services Subcommittee on Financial Institutions and Consumer Credit at a hearing entitled "Data Security: Vulnerabilities and Opportunities for Improvement." In her testimony, Schwartz explained the impact recent data breaches have had on credit unions and steps Congress can take to hold other entities to similar standards as financial institutions.

On March 8, 2017, Chevron Federal Credit Union’s former President/CEO Jim Mooney testified before the House Small Business Committee at a hearing entitled "Small Business Cybersecurity: Federal Resources and Coordination." In his testimony, Mooney called on Congress to introduce legislation similar to the Data Security Act of 2015 to create a national standard of data security that applies to all entities in the payments chain.