NAFCU White Paper Outlines Privacy Principles

As federal and state lawmakers consider new privacy legislation regarding consumers’ personal information, NAFCU recently developed a white paper outlining six essential principles toward implemention of a national data privacy standard.

“With data breaches on the rise, protecting consumers’ data is more important today than ever before,” Dan Berger, NAFCU president and CEO, said. “Recent events prove that vulnerable data security standards place consumers at significant risk, and a national data privacy standard would help ensure consumers’ data is fully protected, while also continuing to foster innovation and help grow our economy. NAFCU looks forward to working closely with lawmakers as they look to reform our outdated policies.”

NAFCU’s six principles for data privacy reform include:

1. A comprehensive national data security standard covering all entities that collect and store consumer information. NAFCU said it believed financial institutions and non-financial institution entities – including fintech, retailers, and others handling personal information – should face the same data privacy and security standards, which currently is not the case.
2. Harmonization of existing federal laws and preemption of any state privacy law related to the privacy or security of personal information. Without a federal standard in place, states have taken solutions into their own hands. However, NAFCU said its concern is that the patchwork of privacy laws has created a confusing, burdensome environment.
3. Delegation of enforcement authority to the appropriate sectoral regulator. For credit unions, the NCUA should be the sole regulator. NAFCU is supportive of a strong, independent NCUA as the agency is well-versed in credit unions’ unique nature and is best equipped to examine credit unions for data privacy and cybersecurity compliance.
4. A safe harbor for businesses that take reasonable measures to comply with the privacy standards. A federal data privacy bill should take a principles-based approach to its requirements based on an institution’s specific operations and risk profile. NAFCU noted those organizations that develop and implement appropriate measures should receive a safe harbor.
5. Notice and disclosure requirements that are easily accessible to consumers and do not unduly burden regulated entities. NAFCU recommended incorporating requirements from the Gramm-Leach-Bliley Act, which credit unions are already subject to, to avoid conflicting or duplicative disclosure requirements.
6. Scalable civil penalties for noncompliance imposed by the sectoral regulator that seek to prevent and remedy consumer injury. Given the difficulty in establishing damages to consumers, which increases the likelihood of frivolous lawsuits, each regulator should have the ability to assess scalable civil penalties to remedy and prevent consumer harm.

The white paper also provided a deep dive into current privacy laws impacting credit unions, including the European Union’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) and reviewed ongoing state and federal legislative efforts and additional considerations for a federal privacy standard.

“These are good principles in that they provide a consistent approach for practices to protect individual privacy across the credit union industry,” Paul Love, chief information security and privacy officer for Rancho Cucamonga, Calif.-based CO-OP Financial Services, said. “This protects the consumer regardless of which state they live in and also provides a more consistent, less complex approach to compliance with privacy requirements. Complexity in regulation can lead to confusion, misinterpretation and unneeded burden, resulting in less time and energy to focus on protecting consumer privacy.”

Love added, “The NAFCU’s recommendation number 3 calls for the delegation of enforcement authority to the appropriate sectoral regulator, which for credit unions would be the NCUA.” Love noted this provides a means for an independent third party to monitor and regulate privacy implementation, and puts it in the hands of an organization that understands the nuances of the industry, leading to better compliance and protection for credit union members. “Overall, this is a reasonable approach that weighs the benefits for the members and the credit unions in the shared goal of protecting our members’ privacy,” he said.

Paul Bischoff, privacy advocate with Comparitech, a pro-consumer website providing information, tools, and comparisons, also commented: “The proposed federal data privacy standard frankly seems focused on making it easier to do business and doesn’t prioritize consumer well-being. I certainly understand the desire for a uniform national law, but preempting all state privacy laws could in fact weaken consumer privacy protections. If the CCPA mandates data portability and the new federal law does not, for example, consumers in California could end up with fewer protections than they started with. The proposal lacks any specific technological or operational security standards, leaving too much room for lobbyists to carve out loopholes and cut corners.”

The Comparitech privacy advocate also suggested the NAFCU proposal could work as a federal minimum privacy standard and make certain legal vocabulary more consistent, but disagreed it should preempt state laws. “Digital privacy is a quickly evolving space in which we cannot foresee all outcomes, so I think state laws can serve as a useful testing ground for federal privacy laws.” As an example, the EU passed the ePrivacy Directive, which set out some rules and let countries decide on interpretation and enforcement. “A few years later, they passed the ePrivacy Regulation, which created a mandatory, uniform law across all member states. I think this is a more viable path that the U.S. can imitate.”

Look for an article about privacy regs coming in January in CU Times.