The Time for a National Data Security / Data Privacy Standard is Now

Posted by Ryan Fitzgerald on October 25, 2024

On the heels of this week’s release of the Consumer Financial Protection Bureau’s (CFPB) final 1033 rule on Open Banking, the need to establish a single national standard for all parties that utilize, hold, aggregate, or manipulate consumer data has become abundantly clear. 

Over the past several years GoWest credit unions have been calling on Congress to pass legislation to establish a national data privacy, data security, and consumer notification standard for all entities that have access to and utilize consumer data. Currently there are 19 states, and counting, that have established some type of data privacy and / or security standard that financial institutions with members in those specific states must meet. This patchwork quilt of regulation is an untenable regulatory environment that makes it extremely difficult to navigate and ensure compliance. Moreover, the lack of a baseline standard for merchants, financial technology solutions, and third-party vendors makes protecting credit union members even more challenging. As fraud continues to rise and scams get more complicated, it is time for Congress to act in order to provide a single, baseline national standard for all industries that manage consumer data. As outlined to our collective Members of Congress, “We rarely request a national standard be handed down from the federal government, but on the issue of data, it is absolutely necessary, and the time is now to get something done.” 

As GoWest credit unions know, as financial institutions they are required to meet and are examined on the standards established by the Gramm-Leach Bliley Act, which has established a data use and security standard, although notification and response actions on those breaches are not specifically succinct from state to state. On the other hand, merchants and retailers do not have a specific set of statutory data standards that they are required to adhere to, except for those within their service contracts and network agreements, while many data breaches take place on their networks. 

In the 118th Congress, Senator Maria Cantwell (D-WA), Chair of the US Senate Commerce, Science, and Transportation Committee and her Washington state Congressional colleague, Rep. Cathy McMorris Rodgers (R-WA-5), Chair of the House Energy and Commerce Committee developed a bi-partisan bill to establish a nationwide data security and data privacy standard. The legislation known as the American Privacy Rights Act (APRA) is a starting point for negotiations in an effort to establish a national data standard for all industries, and GoWest has actively advocated for amendments to the bill in order to protect credit union members and institutions from overly burdensome and unbalanced regulatory standards, while continuing to support ultimate passage of a bill.  

As we head into the “lame duck” wrap-up of the 118th Congress, following the November 5th election, and prepare for 2025 and a newly seated Congress, we will actively participate in negotiations to establish a fair and balanced approach to a national data privacy / data security standard. As Congress looks to establish or negotiate a final data privacy bill, there are important areas that must be addressed to ensure the final product is balanced, including the following issue areas:  

• Data privacy legislation should include an institution-level exemption for those institutions that are in compliance with the GLBA, as they are being regularly examined on their data security and compliance measures to protect consumers. 

• The uniform preemption of current state laws is important for establishing a strong and streamlined national data privacy/protection standard. Credit unions work diligently to comply with all applicable laws, but a ubiquitous data privacy / security standard must fully preempt state laws to manage the overarching compliance burden of countless different standards, notices and disclosures across multiple states. 

• Data privacy and data protection legislation needs to be specifically targeted and allow for curing actions when establishing broad legal standing or a private right of action for individuals following a breach of security or misuse of data, especially when the cause is outside credit union control, by a merchant or a third-party vendor. 

• Data privacy / security legislation should include the requirement that merchants and retailers comply with the same strict data security standards that financial institutions are subject to under GLBA, as merchant data breaches have exposed consumers and credit unions to significant losses and reputational risk. 

As we work to unpack the CFPB’s 1033 rule on Open Banking, there will be opportunities and challenges for credit unions. As the regulators set standards for how data should be managed for financial institutions under 1033, it is critical for Congress to provide a baseline standard for what data is considered to be “covered” and ensure that all entities utilizing, aggregating, or storing data have the same standards that are required to be met.     

Interestingly, the first legal challenge to the 1033 Open Banking rule was filed by the Bank Policy Institute and Kentucky Bankers Association less than 24 hours after the final rule was announced. In the plaintiff’s initial argument, they outline that the rule “imposes upon banks a vague duty to ‘document’ the compliance with consumer authorization requirements of potentially thousands of FinTech’s and data aggregators, which are not subject to the same data security requirements and expectations as banks.” 

The GoWest Advocacy team will continue to message this important issue with members of the Congressional delegation throughout the remainder of the 118th Congress and in preparation for the 119th. Be on the lookout for calls to action if an opportunity or pathway to move a fair and balanced data standard presents itself before the end of this Congress.  

Posted in Advocacy on the Move, Federal Advocacy.