The National Association of Federally-Insured Credit Unions (NAFCU) recently developed a new white paper that outlines six essential principles for implementing a national data privacy standard as lawmakers – at both the federal and state level – consider new legislation regarding consumers’ data privacy.
The rundown of those six principles includes:
1. A comprehensive national data security standard covering all entities that collect and store consumer information.
NAFCU believes that financial institutions and non-financial institution entities — including fintech, retailers, and others that handle personal information — should be held to the same data privacy and security standards, which currently is not the case.
2. Harmonization of existing federal laws and preemption of any state privacy law related to the privacy or security of personal information.
Without a federal standard in place, NAFCU said that states have taken solutions into their own hands. However, NAFCU is concerned that the patchwork of privacy laws has created a confusing, burdensome environment.
3. Delegation of enforcement authority to the appropriate sectoral regulator.
For credit unions, the NCUA insisted it should be the sole regulator. NAFCU is supportive of a strong, independent NCUA as the agency is well-versed in credit unions’ unique nature and is best equipped to examine credit unions for data privacy and cybersecurity compliance.
4. A safe harbor for businesses that take reasonable measures to comply with the privacy standards.
Official said a federal data privacy bill should take a principles-based approach to its requirements based on an institution’s specific operations and risk profile. Those organizations that develop and implement appropriate measures should be provided a safe harbor.
5. Notice and disclosure requirements that are easily accessible to consumers and do not unduly burden regulated entities.
NAFCU recommends incorporating requirements from the Gramm-Leach-Bliley Act (GLBA), which credit unions are already subject to, to avoid conflicting or duplicative disclosure requirements.
6. Scalable civil penalties for noncompliance imposed by the sectoral regulator that seek to prevent and remedy consumer injury.
Given the difficulty in establishing damages to consumers, which increases the likelihood of frivolous lawsuits, NAFCU suggested each regulator should have the ability to assess scalable civil penalties to remedy and prevent consumer harm.
“With data breaches on the rise, protecting consumers’ data is more important today than ever before,” NAFCU president and chief executive officer Dan Berger said. “Recent events prove that vulnerable data security standards place consumers at significant risk, and a national data privacy standard would help ensure consumers’ data is fully protected, while also continuing to foster innovation and help grow our economy.
“NAFCU looks forward to working closely with lawmakers as they look to reform our outdated policies,” Berger went on to say.
The complete 37-page white paper can be downloaded here.