CBA Calls for Uniform National Data Security Standard


CBA Calls for Uniform National Data Security Standard

93 percent of exposed records from non-financial institutions


WASHINGTON, D.C. – The Consumer Bankers Association today wrote Senate Banking Committee Chairman Mike Crapo (R-Idaho) and Ranking Member Sherrod Brown (D-Ohio) to offer feedback to the committee’s request for information on data privacy, protection and collection. CBA also called on Congress to enact a uniform national standard to ensure consumer data is protected at every step of the payment system, including non-financial institutions where the most records of personal information are exposed.


“In light of recent data breaches and abuses, consumers are rightly concerned about the manner in which their personal information is being collected and how this sensitive information is being both shared and protected,” CBA President and CEO Richard Hunt wrote. “No industry was immune from breaches … however, it is important to note that the non-financial business sector was responsible for 93 percent of the records compromised. The low breach-rate of personally identifiable information at financial institutions compared to other sectors can be attributed to the common-sense safeguards required by [the Gramm-Leach-Bliley Act] and the industry’s commitment to security.


“Banks are on the front lines consistently monitoring for fraud and working to make consumers whole, no matter where a breach occurs. From operating advanced fraud monitoring systems to reissuing cards, CBA members spend considerable resources on preventing fraud. As a result, consumers rely on their financial institutions to communicate what to do in the event of a breach and to employ defenses to prevent fraud and identity theft.”


CBA supports data security and breach notification legislation encompassing the following elements:

  • A flexible, scalable standard for data protection that factors in (1) the size and complexity of an organization, (2) the cost of available tools to secure data, and (3) the sensitivity of the personal information an organization holds.
  • A notification regime requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm.
  • Consistent, exclusive enforcement of the new national standard by the Federal Trade Commission (FTC), other than for entities subject to state insurance regulation or who comply with GLBA or the Health Insurance Portability and Accountability Act of 1996/HITECH Act. For entities under its jurisdiction, the FTC should have the authority to impose penalties for violations of the new law.
  • Clear preemption of the existing patchwork of often conflicting and contradictory state laws.


CBA’s full letter is available here.


Finally, CBA discussed consumer privacy and consumer credit reporting. On privacy, CBA supports allowing consumers reasonable control on the collection, use and sharing of personal data buy cautioned against any legislative proposal that would inhibit a bank’s ability to fulfill contractual obligation to consumers. CBA also raised concerns with efforts to change credit reporting laws, noting without a complete credit history, lenders would not be able to accurately access a borrower’s ability to repay a loan, potentially opening up safety and soundness implications.




About the Consumer Bankers Association:

The Consumer Bankers Association represents America’s leading retail banks. We promote policies to create a stronger industry and economy. Established in 1919, CBA’s corporate member institutions account for 1.7 million jobs in America, extend roughly $4 trillion in consumer loans and provide $275 billion in small business loans annually. Follow us on Twitter @consumerbankers.