Data Privacy Legislation Isn’t Enough; Data Breach Standard Needed: CU Trades
Consideration of "national privacy legislation should also include serious discussion on data security and breach notification.”
Even as a key senator is renewing his call for a data privacy law, credit unions on Wednesday asked Senate Commerce Chairman John Thune (R-S.D.) not to lose sight of the need for a federal data breach standard.
“The question is no longer whether we need a federal law to protect consumers’ privacy,” Thune said, as the committee convened a hearing on data privacy. “The question is what shape that law should take.”
Thune said that he believes there is a strong desire to reach a consensus on a national consumer data privacy law that would “help consumers, promote innovation, reward organizations with little to hide, and force shady practitioners to clean up their act.”
However, credit union trade groups told Commerce Committee leaders in letters that data privacy is only one-side coin.
“Any consideration of a national privacy legislation should also include serious discussion on data security and breach notification,” CUNA President/CEO Jim Nussle wrote.
Nussle said that credit unions and other financial institutions are heavily regulated in the way they may use consumer data, but others are not.
Depository institutions are governed by the Gramm-Leach-Bliley Act, Brad Thaler, NAFCU’s vice president of legislative affairs, told the committee.
“Credit unions suffer steep losses in re-establishing member safety after a data breach occurs and are often forced to absorb fraud-related losses in its wake,” Thaler wrote.
Data security legislation has been bogged down by battles between financial institutions and retailers.
The House Financial Services Committee recently approved data breach legislation sponsored by Rep. Blaine Luetkemeyer (R-Mo.). Luetkemeyer’s legislation does not include any data breach provisions dealing with retailers. He said he would have preferred that the measure included such a provision but lamented that the Financial Services Committee could not accomplish that on its own—a veiled reference to those who oppose legislation dealing with retailer data breaches.