Credit unions already have a great deal of requirements to comply with to protect data security and any additional laws should focus on regulating those entities that aren't regulated. That's the message Air Academy FCU Glenn Strebe gave during testimony before a House subcommittee today.
“The best way to move forward and address data breaches is to create a comprehensive regulatory scheme for those industries that are not already subject to oversight. At the same time, the oversight of credit unions, banks and other financial institutions is best left to the functional financial institution regulators that have experience in this field. By and large, financial institutions, especially credit unions, have not been the source of significant data breaches,'' he told the House Small Business Committee's Subcommittee on Healthcare and Technology.
Strebe, who testified on behalf of NAFCU, said the association backs pending legislation that would require additional security standards for personal and account information and mandate notification procedures if there is a data security breach.
Credit unions have in recent years had to deal with the costs of responding to the results of data breaches at merchants and vendors. Strebe said his own credit union is “relentless,'' about protecting data and has never been hacked from the outside and no member's sensitive information has ever been accessed without authorization.
He said they have achieved this success with a 13-point security plan that costs around $300,000 per year to maintain.
Strebe, whose credit union has $420 million in assets and $42,000, said any law to improve cyber security should include: Have merchants pay the costs when they experience a data breach; mandate that merchants display their data security policy; and mandate a procedure for disclosing which companies have had a data breach.
In a letter to the subcommittee, CUNA President/CEO wrote that merchants have many fewer requirements than credit unions when it comes to data security.
“Merchants are not subject to federal data security requirements, nor are they financially liable for damages. In some cases, merchants do not even face reputational risk as a result of a breach because they are not required, under federal law, to disclose a breach,'' he wrote. “Until there are consequences to these bad actions, voluntary standards will not be sufficient to protect consumers.''ce
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
