Data Security Is Everyone's Responsibility: Berger
All who collect and store personally identifiable and financial data should be held to the same data security standards, NAFCU President/CEO Dan Berger told the House Small Business Committee Wednesday morning.
In his testimony on a panel that included witnesses from Intel Corporation, the National Small Business Association and the National Cybersecurity Institute, Berger cited the 1999 Gramm-Leach-Bliley Act, which required credit unions to maintain data security standards. Regulations implemented from the law have successfully limited data breaches among financial institutions, he said.
Berger said in his written testimony NAFCU supports modernizing data security laws to reflect the complexity of the current payments environment, and added that retailers and merchants must adhere to a strong federal standard.
Sens. Tom Carper (D-Del) and Roy Blunt (R-Mo.) introduced the Data Security and Breach Notification Act April 16. The bill would protect the ability for consumers and financial institutions to sue retailers over the financial damages related to a data breach. Both NAFCU and CUNA went on record in support of the bill.
The legislation also importantly recognized that credit unions are already subject to the Gramm-Leach-Bliley Act.
“The oversight of credit unions, banks and other financial institutions is best left to the functional financial institution regulators that have experience in this field,” Berger wrote in his testimony. “It would be redundant at best and possibly counter-productive to authorize any agency — other than the functional financial institution regulators — to promulgate new, and possibly duplicative or contradictory, data security regulations for financial institutions already in compliance with GLBA.
Berger also cited a recent NAFCU survey that reported credit unions, on average, spent $136,000 on data security measures and $226,000 in costs associated with merchant data breaches in 2014.