Shortly after the Federal Trade Commission (FTC) proposed amendments to strengthen privacy standards implemented by the Gramm-Leach Bliley Act (GLBA), the Independent Community Bankers of America (ICBA) wrote to Senate Banking Committee leaders urging them to expand statutory requirements pertaining to the protection of personally identifiable information (PII).
ICBA President and CEO Rebeca Romero Rainey wrote in the letter that her organization supports current information privacy standards that apply to banks and believes that all entities that collect and store PII should be subject to them as well.
“Community banks and other financial institutions are required by statute and regulation to safeguard personally identifiable information,” Rainey said. “To ensure consumers receive enhanced protection of their personal information, all entities that handle personal information should be required to safeguard this information, in a manner comparable to financial institutions.”
Specifically, Rainey argued that privacy standards, such as those required under GLBA, should apply to third-party contractors, credit bureaus such as Equifax, retailers and other non-bank entities with access to personal information in a manner comparable to how they are applied to financial institutions. Even federal regulators should be subject to such requirements, she asserted.
“No company, financial institution, or government agency is exempt from insider threats or criminals breaking into their systems and yanking the personal information of their customers, employees, and/or general stakeholders,” Rainey said. “In fact, the prudential banking regulators have had their share of data security incidents.”
She listed numerous examples in which PII held by federal regulators was compromised, including reported incidents or attacks at the Office of the Comptroller of the Currency, Federal Reserve, Federal Deposit Insurance Corp., Consumer Financial Protection Bureau and National Credit Union Administration.
“ICBA is troubled that liability from a potential breach into any of the prudential regulators’ systems could be unfairly assigned to community banks that securely submitted their data,” Rainey said. “Too often, the breached entity skates by while financial institutions are left to mitigate damages to their customers.”
In addition to subjecting the aforementioned entities to current privacy standards, the letter spells out numerous suggestions for legislative actions that could help to strengthen measures pertaining to the protection of sensitive consumer information, some of which previously have been proposed.
Rainey noted ICBA’s support for establishing a national breach notification standard as “a good first step to ensure consistent consumer notification in the case of a breach, rather than a patchwork of state laws in this area.”
She pointed out that banks are required, through law and regulation, to provide consumers and customers with privacy notices and various other disclosures regarding the information they collect and share, as well as the purpose for doing so. Banks also are required to collect certain PII based on various regulatory requirements and provide that information to prudential regulators.