NAFCU Releases Data Security Principles Ahead of Senate Hearing

WASHINGTON, Feb. 5 -- The National Association of Federally-Insured Credit Unions issued the following news release:

National Association of Federally-Insured Credit Unions (NAFCU) Vice President of Legislative Affairs Brad Thaler in a letter today to the Senate Commerce Committee, Subcommittee on Consumer Protection, Product Safety, Insurance, and Data offered the association's data security principles that credit unions would like to see addressed in comprehensive cyber and data security legislation ahead of a subcommittee hearing tomorrow that will examine a 2016 data breach that occurred at ride-sharing company Uber.http://link.email.dynect.net/link.php?DynEngagement=true&H=s8mq%2BFF8Y8J%2F7%2FXrLp5ygdcwMPrxjsUdQBMch4EEnHhpCCjF3%2FNlfA69yJr86xi1yUr5daA5yIfSw5q2wzaKKmoyApJyeAIArZX0UqRiqZNAr%2BRrfewqdA%3D%3D&G=0&R=https%3A%2F%2Fwww.commerce.senate.gov%2Fpublic%2Findex.cfm%2Fhearings%3FID%3D73871FA8-29AD-4ED5-ABB8-C86B4BE4E0A3&I=20180205203846.00000030a97a%40mail6-34-usnbn1&X=MHwxMDQ2NzU4OjVhNzhjMGQzZDJjNzBmOTBmYzM5NDM3MDs%3D&S=ebbQ8gCoxCDCIGrQomm1c0hPpe5oouhtIFM_ZKWZpNk

"The ever-increasing number of data breaches demonstrates the need for a national data security standard for entities that collect and store consumers' personal and financial information that are not already subject to the same stringent requirements as depository institutions," Thaler wrote.

Below are NAFCU's data security principles, which includes:

- requiring entities to be accountable for related costs of data breaches that occur on their end, especially if the breach is caused by that entity's negligence;

- requiring all entities that store consumer data to meet standards similar to those imposed on depository institutions under the Gramm-Leach-Bliley Act (GLBA);

- requiring merchants to post their data security policies at the point of sale if they take sensitive financial data;

- informing financial institutions of any compromised personally identifiable information when associated accounts are involved;

- disclosing names of the companies and merchants whose data systems have been violated so consumers are aware of those that place their personal information at risk;

- enforcing violations of existing agreements and law by those who retain payment card information electronically; and

- having the evidentiary burden of proving a lack of fault rest with the negligent entity that incurred the data breach.

NAFCU has been active on data security issues in recent years. The association was the first financial trade group to call for a national data security standard for retailers in the wake of the 2013 Target breach, and last November, a NAFCU witness testified before a House Financial Services subcommittee and recommended ways to curb data breaches.http://link.email.dynect.net/link.php?DynEngagement=true&H=s8mq%2BFF8Y8J%2F7%2FXrLp5ygdcwMPrxjsUdQBMch4EEnHhpCCjF3%2FNlfA69yJr86xi1yUr5daA5yIfSw5q2wzaKKmoyApJyeAIArZX0UqRiqZNAr%2BRrfewqdA%3D%3D&G=0&R=https%3A%2F%2Fwww.nafcu.org%2FNews%2F2017_News%2FNovember%2FNAFCU_s_8th_Hill_testimony_this_year_provides_ways_to_curb_data_breaches%2F&I=20180205203846.00000030a97a%40mail6-34-usnbn1&X=MHwxMDQ2NzU4OjVhNzhjMGQzZDJjNzBmOTBmYzM5NDM3MDs%3D&S=m0lMjxAdvgstyXStH5oG-RaMLl1unWGOmZ6PKLHVgi4

For full text of the letter, please click here. http://link.email.dynect.net/link.php?DynEngagement=true&H=w8Bl7ZSLqC%2BFFEF9P0XN9HJB14ltnTgt2r4zKtmGsiA5bfE55aykHxCL1F%2BEOmgCKwwqrrPV%2FeV7tII5dF09C9BGek%2Bx8TitNcBp9WqJDbahfTYMIMLOzw%3D%3D&G=0&R=https%3A%2F%2Fwww.nafcu.org%2FWorkArea%2FDownloadAsset.aspx%3Fid%3D73624&I=20180205230703.0000006973b7%40mail6-51-ussnn1&X=MHwxMDQ2NzU4OjVhNzhlMzkxODZjNGE1NGZmYzFmNzc1Mjs%3D&S=GKK6pu7sKBoILE9qm7PFb3CoyfMGnhaEFUX-N8GkPQ0