Inconsistent Data Security Standards Put Financial Health at Risk

Credit unions are deeply concerned that Americans’ financial wellness is compromised by inconsistent privacy and security standards applied to businesses that possess, process or transport consumers’ nonpublic personal information (NPI), CUNA wrote to the Senate Commerce Committee Wednesday. The committee conducted a hearing to examine legislative proposals to protect consume data, and CUNA submitted a letter for the record.

“[Credit unions] fear that non-depository institutions, such as data aggregators and other businesses that collect and sell data put Americans’ financial well-being at risk by not protecting the data and by using it in ways that target marginalized communities,” the letter reads. “Furthermore, misuse of NPI makes it more difficult for credit unions to deliver necessary financial services to these communities.”

Credit unions and other financial institutions follow requirements of the Gramm-Leach-Bliley Act (GLBA) and view applying those protections to others a “good first step,” but CUNA’s letter notes there is more that should be done.

Committee Chairman Roger Wicker (R-MS) released a draft of the legislative proposals covered in the hearing and CUNA supports the draft’s principles.

“The Chairman’s proposal contains many provisions that would greatly enhance protections for Americans by giving them ownership of their data and requiring the data to be protected from theft and misuse through enhanced data security protection,” the letter reads.

CUNA and the state leagues support legislation that would:

  • Apply data privacy and data security standards to everyone — all business, institutions and organizations — and hold each link in the transaction journey accountable;
  • Create equal expectations and protections by harmonizing inconsistencies through new legislation that protects sensitive information based on the type of information rather than the type of entity that possess it;
  • Create a national standard that is the ceiling for requirements;
  • Base protections on strong standards that protect data; and
  • Safeguard consumer protections by providing mechanisms to address the harms that result from privacy violations and security violations, including data breaches.