The Credit Union National Association (CUNA) wrote to the Federal Trade Commission (FTC) in support of amendments to the Safeguards Rule, which requires financial institutions to develop, implement and maintain a comprehensive security program to keep consumer information secure.
Although CUNA generally was supportive of proposed changes by the FTC, it reiterated its strong support for national data security standards from Congress, adding the FTC was “in the position to help lead the effort for robust protection for all consumers.”
The FTC has proposed amendments to the Safeguards Rule which generally incorporate aspects of the New York Department of Financial Services’ cybersecurity rule and the National Association of Insurance Commissioners’ model law.
CUNA said it generally supported the proposed changes.
“Strong data security laws will not stop criminals or rogue nation states from attempting to penetrate even the most sophisticated data and cybersecurity defenses,” CUNA Senior Director of Advocacy and Senior Counsel for Payments and Cybersecurity Lance Noggle wrote. “However, American consumers that trust their personal information to businesses deserve the most diligent effort by those businesses and entities to protect this data from theft and misuse.”
Among the areas of concern for the trade association is the requirement for credit unions and banks to comply with Gramm Leach Bliley Act (GLBA), along with the 115 privately insured credit unions which are subject to the Safeguards Rule.
“We believe that all American business entities and individuals that handle or maintain consumers’ personal information should be subject to similar requirements,” CUNA stated.
Acknowledging the concerns about overregulating small businesses, CUNA said its own industry experience could serve to show how data protections could be accomplished.
“The size of federally insured credit unions varies from less than 210 members with fewer than $20,000 in assets and volunteer employees to over 8.4 million members with over $100 billion in assets,” the letter said. “As mentioned above, federally insured credit unions are subject to the National Credit Union Administration’s data security and privacy regulations, which implement GLBA’s requirements. These regulations are flexible enough that both volunteer employees and sophisticated information technology staff can apply the requirements to their respective credit unions.”
Citing data breaches at companies outside the financial system, such as Marriott, Home Depot and Target, CUNA said more vigilant information security practices could have stopped those from happening.
“We believe that federal data security laws with federal enforcement authority would have forced these negligent actors to take their duty to protect customers’ information more seriously,” the letter stated. “We realize that passing new legislation requires action by Congress and is beyond the scope of this request for comment and the FTC’s statutory authority; nonetheless, the FTC is in the position to help lead the effort for robust protection for all consumers.”
Among its suggestions on the amendments themselves, CUNA urged an exception for the 115 privately insured credit unions subject to the Safeguards Rule because of the state regulatory oversight they have.
“This is an extra level of protection that most other entities subject to the Safeguards Rule do not have. Because privately insured credit unions are examined by state examiners who are likely more familiar with NCUA’s data security regulation or their own state’s data security regulation, the FTC should explore allowing a privately insured credit union to comply with either NCUA’s regulation or the regulation of the state in which the credit union is chartered,” CUNA stated.
CUNA also expressed specific support for requirements that financial institutions establish an incident response plan.
“An incident response plan helps ensure that an entity is prepared in case of an incident by planning how it will respond and what is required for the response,” the letter stated. “We also support a notification requirement as part of the incident response plan.”