SAN DIEGO–Credit unions and CUSOs here were told that even if tighter laws around privacy and data security aren’t yet here, they’re coming—and they need to be ready.
Speaking to NACUSO’s annual meeting here, Jennifer Winston, an attorney with Messick Lauer & Smith, said credit unions are approaching a “tipping point” in relation to privacy and how member information is used.
“How you collect, protect and even dispose of member information is only going to become more important moving forward,” said Winston.
Moving forward, that includes an assessment of risk management as it relates to oversight of service provider arrangements, Winston said. “If you are serving credit unions, not only do you want to be a good steward, these requirements are going to be your requirements, as well,” she said. “(Government is) going to take that data and create a baseline cybersecurity expectation moving forward. You must have procedures and policies in place to anticipate and mitigate cybersecurity risk.”
Variety of Risks
Under the umbrella of risk related to a data breach, said Winston, are risks related to legal, operational, reputational and financial, and a credit union and/or CUSO must be prepared for all of them. Winston reminded that approximately 6.5 million records are lost each day.
Under federal rules and regulations, Winston said most credit unions and CUSOs are familiar with Gramm Leach Bliley and its requirements around privacy and security. But Winston noted credit unions and CUSOs must also comply with COPPA (which deals with children’s personal information online; CFCRA (credit information); UDAAP, and TCPA and CAN-SPAM (which requires appropriate prior consent and opt-out management).
“There are proposed changes that would require financial institutions to encrypt all member/customer data, implement access controls to prevent unauthorized access, and more,” added Winston.
An Import to Watch
There is another major development emerging on the horizon for credit unions and CUSOs, and that’s the European Union’s General Data Protection Regulation (GDPR). As CUToday.info earlier reported here, the rule, which currently applies to the use of personal data for individuals inside the E.U., is a likely model for laws to be enacted at both the state and federal level in the U.S., said Winston.
“The GDPR grants individuals certain rights with respect to their personal data, including the right of access, the right of erasure (also known as the right to be forgotten), the right to restrict the processing of personal data, the right to notification of the purpose and legal basis for processing of personal data, and the categories of recipients of that data,” said Winston.
There is also a requirement that in the event of a breach those affected be notified with 72 hours.
“Right now, it’s questionable whether or not its enforceable against anyone in the U.S.,” said Winston.
Feds, States, Watching Rule
But what you do want to keep in mind is that states and the federal government are looking at this, and something like this is going to be here soon. Some states have already shown some influence, and 24 states now have laws addressing security practices. Many are expanding the definition of personal data. You can’t deny the GDPR is having an impact.”
Among the states that have already followed the GDPR’s lead is California, which has passed the California Consumer Privacy Act, which is to go into effect in 2020. The California law, said Winston, provides consumers with more control over the personal information and requires companies of a certain size to notify consumers of what is being collected from a consumer, how that personal information is being collected and used, and whether and to whom it is being disclosed or sold. A company must also provide easy opt-outs from the personal information being sold to third parties, and agree to delete personal information upon request.
“At this point, businesses should start mapping the information you are collecting, how you are sharing it, and the locations where it is stored, so that no matter what comes down the road you are as ready as you can be,” said Winston.