Congress Should Move Beyond GLBA to New Data-security Laws

Credit unions are deeply concerned that Americans’ financial wellness is compromised by inconsistent privacy and security standards applied to businesses that possess, process or transport consumers’ nonpublic personal information (NPI), CUNA wrote to the House Financial Services Committee Task Force on Financial Technology last week. The task force conducted a hearing on the role of “big data” in financial services, and CUNA’s letter was sent for the record.

The letter notes that, while credit unions and other financial institutions follow requirements of the Gramm-Leach-Bliley Act (GLBA) and view applying those protections to others a “good first step,” there is more that should be done.

“We would prefer that Congress move beyond GLBA and develop a uniform privacy and data security law that regulates data and privacy protections based on the type of data instead of the current sector-specific approach,” the letter reads. “While the sector-specific approach worked well when American’s health and financial information were mainly in the possession of health care providers and depository institutions, Big Data’s insatiable appetite for NPI has made regulation under the current framework difficult at best.”

CUNA prefers Congress move beyond GLBA to “develop a uniform privacy and data security law that regulates data and privacy protections based on the type of data,” instead of a sector-specific approach.

CUNA and the state leagues support legislation that would:

  • Apply data privacy and data security standards to everyone — all business, institutions and organizations — and hold each link in the transaction journey accountable;
  • Create equal expectations and protections by harmonizing inconsistencies through new legislation that protects sensitive information based on the type of information rather than the type of entity that possess it;
  • Create a national standard that is the ceiling for requirements;
  • Base protections on strong standards that protect data; and
  • Safeguard consumer protections by providing mechanisms to address the harms that result from privacy violations and security violations, including data breaches.