NTIA Should ‘Seriously Consider’ CU Data Security Priorities

Credit unions have a long history of safeguarding information and are subject to numerous requirements, unlike others that use or maintain consumer information, CUNA wrote to the National Telecommunications and Information Administration (NTIA) Friday. CUNA sent its comments in response to a request for comment on developing an administration policy for consumer data privacy.

“Safeguarding consumers’ money and personal information is the bedrock of the financial services industry. In order to adhere to the requirements of an array of different laws and regulations associated with making financial transactions, financial services institutions store and collect a wide range of consumer information,” the letter reads. “Due to a history of self-regulation, enhanced through strict government standards, credit unions and the rest of the financial services industry have built a strong culture dedicated to protecting consumers’ personal information.”

The letter notes that many industries do not face the same requirement, which leads to merchant data breaches that lead to credit unions and other financial institutions bearing significant financial responsibility.  

“The cornerstone of any new privacy requirement should be robust data security standards for businesses and other entities that collect and hold consumers’ personal information,” the letter reads.

CUNA urged NTIA to seriously consider its priorities for data security, which include:

  • A flexible, scalable standard equivalent to what is in the Gramm-Leach-Bliley Act (GLBA) for data protection;
  • A GLBA equivalent notification regime requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm;
  • Consistent, exclusive enforcement of the new data security and notification national standard by the Federal Trade Commission (FTC) and state attorneys general; and
  • Clear preemption of the existing patchwork of often conflicting and contradictory state laws for all entities that follow this national data security and notification standard.