3 Data Breaches Demonstrate Need for Legislative Action: NAFCU
NAFCU renews its call for Congress to require merchants to comply with the same data security standards as FIs.
Citing three recent data breaches, NAFCU has renewed its call for Congress to require retailers and other businesses to comply with the same data security standards that financial institutions must follow.
“As NAFCU has previously communicated to Congress, there is an urgent need for a national data security standard for entities that collect and store consumers’ personal and financial information that are not already subject to the same stringent requirements as depository institutions,” NAFCU Vice President of Legislative Affairs Brad Thaler wrote in a letter to House and Senate leaders.
He cited recent data breaches at Barnes and Noble bookstores, Dickey’s Barbecue Pit and fintech company Robinhood Markets as evidence that such a standard is needed.
Credit union trade groups have long pushed for a data security standard for retailers and others. It appears that the 116th Congress will adjourn without legislative action on legislation.
The issue has often become bogged down on intramural squabbles on Capitol Hill. For instance, the House Financial Services Committee has sided with credit unions, stating that retailers should be subject to the same rules as financial institutions. Those standards are contained in the Gramm-Leach-Bliley Act. The House Energy and Commerce Committee has opposed that effort, so any legislative effort has stalled.
Thaler said the three data breaches should serve as another reminder that Congress needs to act to prevent them.
He said Congress also should be asking why the Securities and Exchange Commission has not extended its systems compliance rules to retail broker-dealers such as Robinhood.
“Credit unions suffer steep losses in re-establishing member safety after a data breach and are often forced to absorb fraud-related losses in its wake,” Thaler wrote.
He said negligent entities should be held financially liable for any losses that occur during breaches on their end. He added that depository institutions should be informed of breaches as soon as they occur.
He also said legislation should require any business storing consumer data to meet the same storage standards as financial institutions.
And he noted that NAFCU believes consumers should have the right to know who is responsible for data breaches, therefore Congress should mandate the disclosure of the identity of the company responsible.