CBA Writes Senate Commerce on Data Privacy

December 4, 2019
Nick Simpson

 

CBA Writes Senate Commerce on Data Privacy

93 percent of personal records comprised in 2018 were from the non-financial business sector, which is not subject to national data security requirements

 

WASHINGTON, D.C. – The Consumer Bankers Association (CBA) wrote Senate Commerce Committee Chairman Roger Wicker (R-Miss.) and Ranking Member Maria Cantwell (D-Wash.) in advance of the committee’s hearing examining consumer data privacy proposals.

 

“Data breaches have become all too prevalent in our digital world and consumers are rightly concerned about the manner in which their personal information is collected, shared, protected and stored,” CBA President and CEO Richard Hunt wrote.

 

CBA’s letter discusses several key topics covered in the hearing, including: the state of data privacy; consumer privacy; data security and breach notification; and the California Consumer Privacy Act. Each topic is discussed in more detail below.

 

A full copy of CBA’s letter is available here.

 

State of Data Privacy

 

While no industry is immune from breaches, data from the Identity Theft Resource Center shows 93 percent of personal records comprised last year were from the non-financial business sector, which is not subject to national data security requirements.

 

Financial institutions on the other hand are required by the Gramm-Leach-Bliley Act (GLBA) to provide customers a clear privacy notice detailing information collection and sharing practices, which includes an opt-out for the sharing of information with non-affiliated third parties. This notice is provided at the beginning of the customer relationship and annually thereafter. GLBA and subsequent regulations also require banks to have in place data security protocols to safeguard sensitive consumer information and to report to federal authorities and affected consumers when a breach occurs. Banks are examined by their prudential regulators on these standards and if found to be non-compliant may face fines or other penalties.

 

“The low breach-rate of personally identifiable information (PII) at financial institutions compared to other sectors can be attributed to the common-sense safeguards required by GLBA and the industry’s commitment to security. As a result, consumers trust financial institutions more than any other type of organization to keep their financial information secure,” Hunt added.

 

Consumer Privacy & National Data Privacy Framework

 

Consumers should have reasonable control over the collection and sharing of personal data, CBA notes, and supports a national data protection and privacy law as a way to prevent a patchwork of state consumer protection laws, which can create barriers to innovation and investment. It would also account for the way Americans live in a digital era where transactions often cross state lines.

 

As Congress considers a national data privacy framework, however, there must be a recognition in the differences in data collection by industry. Banks, for example, are required to collect certain information about transactions pursuant to the Bank Secrecy Act and to fulfill Customer Identification Program requirements. This helps create personalized banking services for customers, helps eliminate fraudulent transactions and provides law enforcement with beneficial anti-terrorism or anti-money laundering information.

 

Data Security & Breach Notification

 

It is critical, CBA writes, any conversation around data privacy also take seriously the security of data and the protocol for notifying customers in the event of a breach for all who operate within the payments system.

 

“Banks are on the front lines, investing large amounts of operating capital in fraud monitoring and security. Our member institutions consistently monitor our customer accounts for fraud and work to make consumers whole, no matter where a breach occurs,” Hunt wrote. “Consumers rely on their financial institutions to communicate what to do in the event of a breach and to employ defenses to prevent fraud and identity theft.”

 

GLBA requires banks to implement comprehensive, risk-based information security programs that are both flexible and scalable. A similar framework should apply to non-bank companies to ensure sensitive information is protected throughout the payment system.

 

Banks must also implement a risk-based response program in the event of a breach. CBA supports and urges Congress to consider passing legislation that will require others in the payment.

 

California Consumer Privacy Act (CCPA)

 

CCPA is the first major consumer privacy law to be adopted at the state level. This legislation was written hastily and the California Attorney General is currently revising portions of the law. As the California privacy law continues to evolve, it would be prudent for Congress to monitor issues with implementation and use observations from industry stakeholders to draft a federal data privacy and security standard.

 

In general, CBA member banks support providing consumers with an expanded set of consumer privacy rights. However, the CCPA as currently written has some critical flaws which will harm both consumers and businesses. For example, the proposed regulations require a bank to specify a concerning level of detail about certain privacy practices, which could potentially benefit social engineers looking to commit fraud.

 

Other concerns with the CCPA include the definition of “sell” and its impact on service providers, as well as the lack of reasonable limitations on consumer privacy rights to protect intellectual property and avoid infringement issues. Considering the importance of this issue and the impact it will have on both consumers and businesses, it is imperative that Congress is thoughtful in drafting meaningful legislation to protect consumers and provide businesses with certainty.

 

###

 

About the Consumer Bankers Association:

The Consumer Bankers Association represents America’s leading retail banks. We promote policies to create a stronger industry and economy. Established in 1919, CBA’s corporate member institutions account for 1.7 million jobs in America, extend roughly $4 trillion in consumer loans and provide $275 billion in small business loans annually. Follow us on Twitter @consumerbankers