Data Privacy Laws Up for Debate in 2020

Big data has allowed credit unions and other financial institutions to learn more about their accountholders. However, their effort to provide consumers with more efficient, personalized service has been met with challenges as discussions around data privacy heat up.

With more personal information being used and distributed by so many organizations, federal and many state lawmakers are considering new privacy legislation regarding consumers’ data.

Though no specific national privacy regulation currently exists, any nationwide rules would likely follow the European Union’s General Data Protection Regulation that took effect in 2018 and the California Consumer Privacy Act, which took effect on Jan. 1, 2020. For example, proposals being discussed in the Senate seek to establish guidelines on how companies gather, employ, peddle and share customer data; and provide consumers with the capacity to control their information.

A recent NAFCU white paper outlined six essential principles for implementing a national data privacy standard. “With data breaches on the rise, protecting consumers’ data is more important today than ever before,” NAFCU President/CEO Dan Berger said. “Recent events prove that vulnerable data security standards place consumers at significant risk, and a national data privacy standard would help ensure consumers’ data is fully protected, while also continuing to foster innovation and help grow our economy.”

NAFCU’s principles called for a comprehensive national data security standard, harmonization of existing federal laws and preemption of any state law related to the privacy or security of personal information, delegation of enforcement authority to the appropriate regulator, a safe harbor for businesses taking reasonable measures to comply with privacy standards, notice and disclosure requirements easily accessible to consumers and not unduly burdening regulated entities, and scalable civil penalties for noncompliance.

“These are good principles in that they provide a consistent approach for practices to protect individual privacy across the credit union industry,” Paul Love, chief information security and privacy officer for CO-OP Financial Services, said. “This protects the consumer regardless of which state they live in and also provides a more consistent, less complex approach to compliance with privacy requirements.”

Love added, “NAFCU’s recommendation calls for the delegation of enforcement authority to the appropriate sectoral regulator, which for credit unions would be the NCUA.” Love noted this provides a means for an independent third party to monitor and regulate privacy implementation, and puts it in the hands of an organization that understands the nuances of the industry, leading to better compliance and protection for credit union members.

Paul Bischoff, privacy advocate with Comparitech, a pro-consumer website, said the NAFCU proposal could work as a federal minimum privacy standard, but disagreed that it should preempt state laws.

“Digital privacy is a quickly evolving space in which we cannot foresee all outcomes, so I think state laws can serve as a useful testing ground for federal privacy laws,” Bischoff said, adding, “I certainly understand the desire for a uniform national law, but preempting all state privacy laws could in fact weaken consumer privacy protections. If the CCPA mandates data portability and the new federal law does not, for example, consumers in California could end up with fewer protections.”

Complicating privacy matters further, laws governing online privacy in the U.S. differ widely from state to state. Comparitech evaluated and ranked each of them based on key criteria; they ranged from laws governing how companies can use and disclose customer data to those protecting journalists, children and employees.

The best U.S. state for online privacy, according to the Comparitech study, is California, which, Bischoff said, has enacted many laws for specific privacy issues that other states ignore. “What’s more, the state has also created what the ACLU called the most comprehensive digital privacy law in the nation.”

Bischoff pointed out California is the only state to mention an inalienable right to privacy in its state constitution and enact a law specifically protecting data gathered from the Internet of Things.

The next best states for privacy protection, the study said, are Delaware and Utah. Delaware has laws requiring government disposal of customer data after a set period of time; privacy protection for e-readers, library users and employees; and laws addressing advertising to children. Utah bars internet service providers from sharing data with third parties without consent, requires all non-financial businesses to reveal the personal information types distributed to third parties and limits companies to a specific customer data shelf life.

The worst state for online privacy, according to Comparitech, is Wyoming. “While not all states have shield laws to protect journalists, Wyoming is the only state that doesn’t even have a court precedent for doing so.” The study also said companies in the worst-ranked state can retain users’ personal data indefinitely, and employers can compel employees to reveal their passwords to social media accounts.

A few states that tied for the second worst all lacked requirements for data disposal after a set period of time. In addition, Mississippi lacks laws protecting employee personal accounts and communications from employers, and K-12 student information; Idaho provides no shield law, or social media privacy protection from employers or educational institutions; Pennsylvania has no grade school student info guardrails or social media profile protection from employers or schools; and Iowa provides no shield law or social media privacy protection.

Bischoff said, “I expect we’ll see more laws like the GDPR and CCPA passed in the next few years, possibly at a federal level,” adding, “U.S. citizens, nor citizens of any country, should not expect their government to protect their privacy from all threats. It’s up to all of us as individuals to be proactive in guarding our privacy.”

Paul Bischoff suggested some ways fintech organizations and credit unions can address handling personal member information and deal with outside threats to the data. “Encryption and access control are the foundations of how fintech organizations need to secure personal information,” he noted.

He said to be very careful about bringing in third parties to process and handle customer or member information, always obtain informed consent before collecting any personal information, only retain data for as long as necessary and make it possible for users to securely access their information upon request.

Rebecca Herold, founder of SIMBUS and CEO of The Privacy Professor, said these these core elements are necessary for fintech organizations to securely handle personal information, while concurrently meeting most regulatory compliance requirements:

• Strong executive support, and clear information security and privacy authority. Fintech institutions will not be successful with their privacy and information security program efforts without clear and strong support from executive management.
• Privacy and security policies and procedures. This helps ensure consistent policy implementation, adherence and enforcement.
• Risk management. Fintech institutions need to establish, as part of their larger information security and privacy program, a risk management program that includes risk assessments.
• Training and awareness. You can have the best policies and procedures in the world, but if workers have not read and received training on them, and do not know how to implement them in their own daily job responsibilities, they will not be useful.
• Vendor management. Commitments to protect data do not end with data activities assigned to third parties; responsibilities follow that data.
• Breach management. You should implement regulatory requirements for breach identification, management and notices, such as per the Gramm-Leach-Bliley Act final guidance. There are also at least 54 state and territory level breach notice laws in place.

Herold explained, “To meet a wide variety of legal obligations and regulatory compliance requirements, fintech and financial organizations need to implement strong protections for personal information they collect, store, transmit, process and otherwise access, that is collected or derived from their customers, and consumers (those who provide information to the institution, but are not actual customers), as well as their employees. These legal obligations generally also apply to third parties that financial institutions engage with.”

Herold also noted the most efficient way to deal with all legal compliance requirements for privacy and information security is to identify the requirements within each information security and privacy topic. “By following just one set of practices for each of the topics, it demonstrates to both regulators and members/customers that the financial institution is concerned and proactive in its privacy and security practices.”

Herold advised institutions to always remember that “regulators will generally not penalize a financial institution for having too much security and privacy implemented, but they will penalize (sometimes quite severely) financial institutions that fall short of their compliance obligations.”