Data security breaches continue to put millions of consumers at risk, and protecting consumer information and the privacy of personal information is a shared responsibility of all parties involved. While robust federal data security and privacy requirements for banks have been in place for nearly 30 years, other business sectors lack such requirements and have been the source of many large-scale breaches.
Due to controversy over certain uses of personal information by nonbanks, such as Facebook and Google, it would make sense for Congress to consider legislation providing Federal privacy protections for consumers. However, banks are not the problem and should not be the focus of such legislation. GLBA and other existing privacy laws affecting the financial services industry already provide important privacy protections and these protections must not be duplicated or undermined by Federal privacy legislation. For example, the GLBA already provides transparency by requiring banks to provide written notices for their privacy policies and use of personal information to customers and prohibits sharing their personal information with unaffiliated third parties without the consumer’s consent.
The application of robust data security and privacy standards by all entities that handle sensitive personal and financial information is critical. Stopping incidents like the Equifax, Sonic, Hyatt, Target, Home Depot and other breaches is critical for consumers, and also important to banks who often have the closest relationship to those affected. Data breaches impose significant costs on banks of all sizes because our first priority is to protect consumers and make them whole.
Support a national privacy and data security standard that includes the following provisions:
A national privacy standard that recognizes the strong privacy and data security standards that are already in place for financial institutions under the GLBA and other federal financial privacy laws and avoids provisions that duplicate or are inconsistent with those laws.
Ensure that all entities that handle sensitive personal information are required to protect that data and provide notice in the event of a breach that puts consumers at risk.
Provide robust, exclusive enforcement of this national standard by the appropriate federal or state regulators, including preserving the GLBA’s existing administrative enforcement structure for banks and other financial institutions.
Preempt state privacy and data security laws to ensure that a national standard provides consistent protection for all Americans.