Print
In reaction to the House Subcommittee on Commerce, Manufacturing and Trade's Hearing on Capitol Hill on Tuesday, January 27, on potential data breach legislation, your League's President John Murphy stated, "This is a start to hopefully meaningful conversations and, ultimately, legislation that will deal with this significant and growing problem for credit unions." Over the past 12 months, data breaches have cost Maine credit unions approximately $2.5 million to reissue cards and in fraud losses. "Clearly, something needs to be done and sooner rather than later," remarked Murphy.
At the hearing, Rep. Gus Billrakes (R-FLA), said, "A stable law to ensure merchants are appropriately protecting consumers is needed." The Subcommittee Chair, Rep. Fred Upton (R-Mich.), said Congress has a real opportunity to set a single national data security standard, which is a key component to combating the effects of data breaches. The members of the Subcommittee all agreed at the outset of the hearing that data breach legislation that is universal and includes standards for consumer notification is needed. There are currently 47 different state laws dealing with data breach notification and 12 state laws governing commercial data security.
The Credit Union National Association (CUNA) submitted a letter, along with other financial trade associations, on this issue that was accepted into the Subcommittee Hearing's record. Key points in the letter included:
- Strong national data protection and consumer notification standards with effective enforcement provisions must be part of any comprehensive data security regime, applicable to any party with access to important consumer financial information.
- Credit unions are already subject to robust data protection and notification standards. Gramm-Leach-Bliley Act (GLBA) requirements must be recognized.
- Inconsistent state laws and regulations should be preempted in favor of strong Federal data protection and notification standards.
- In the event of a breach, the public should be informed where it occurred as soon as reasonably possible to allow consumers to protect themselves from fraud. Credit unions, which often have the most direct relationship with affected consumers, should be able to inform their members about the information regarding the breach, including the entity at which the breach occurred.
- Too often, credit unions bear a disproportionate burden in covering the costs of breaches occurring beyond their premises. All parties must share in protecting consumers. Therefore, the costs of a data breach should ultimately be borne by the entity that incurs the breach.
More Rescoures on Data Breaches from the CUNA: