All participants in the payments and financial services sector ecosystem, including but not limited to merchants, aggregators, technology companies, and entities with access to customer financial information, should be subject to Gramm-Leach-Bliley Act (GLBA) like data security standards.
ICBA supports national data security standards, including customer incident/breach notifications, to replace the current patchwork of state laws.
Community banks should be notified by impacted entities of a potential and/or actual breach as expeditiously as possible in order to mitigate losses.
The costs of data breaches should ultimately be borne by the party that incurs the breach. Barring a shift in liability to the breached entity, community banks should have continued access to various cost-recovery options, including account recovery programs and litigation.
All stakeholders must continue to freely innovate to effectively protect consumer data and consumer confidence.
ICBA supports stronger data security standards and practices for law enforcement, regulatory agencies, and other governmental departments and staff.
Data breaches at credit bureaus, retailers, hotel chains, social media networks, data aggregators, technology companies, and elsewhere jeopardize consumers’ financial integrity and confidence in the financial services industry.
Community banks are strong guardians of the security and confidentiality of customer information as a matter of good business practice and legal and regulatory compliance. Safeguarding customer information is critical to maintaining public trust and retaining customers. However, bad actors will continue to look for weaknesses in the payments and information systems in various industries, and breaches will occur.
Extend Gramm-Leach-Bliley Act-Like Standards
Under current federal law, retailers, data aggregators, technology companies, and other parties that process or store consumer financial data are not subject to the same federal data security standards and oversight as financial institutions. Securing data at financial institutions is of limited value if it remains exposed at the point-of-sale and other processing points. To effectively secure customer data, all participants in the payments system, and all entities with access to customer financial information, should be subject to and maintain well-recognized standards such as those created by the Gramm-Leach-Bliley Act (GLBA).
A National Data Security Breach and Notification Standard is Vital
Many states have enacted laws with differing requirements for providing notice in the event of a data breach. This patchwork of state notification laws and overly broad notification requirements only increase burdens and costs, foster confusion, and ultimately are detrimental to customers.
While notifying customers is appropriate, any national notification standard needs to be accompanied by GLBA-like data security standards for all participants of the financial services industry to provide consumers a greater level of protection. Federal banking agencies should continue to set the standard for financial institutions.
Banks Need Timely and Enhanced Breach Notification
It is equally important that community banks receive timely notification concerning the nature and scope of any breach that may have compromised customer information so that they may take steps to mitigate any damage. Enhanced breach notification can save community banks time and money and is in the best interest of customers. Technology and service providers should also, as a matter of course, provide visibility into their business continuity, incident response, and other critical resiliency plans.
Breach Liability Should Incentivize Stronger Security
Regardless of where a breach occurs, as stewards of the customer financial relationship, banks take a variety of steps at their own expense to protect the integrity of customer accounts. However, these costs should ultimately be borne by the party that incurs the breach. Barring a liability shift, community banks should have access to various cost recovery options. Too often, the breached entity evades accountability while financial institutions are left to mitigate damages to their customers.
Governmental Departments and Agencies Must Safeguard Data
Despite issuing rules, regulations, and guidance, and examining financial institutions for the safekeeping of customer data, regulatory bodies and governmental agencies have also been subject to data breaches. During bank examinations, regulators become privy to and hold sensitive bank information, including customer information.
Banks also submit information on customers to the Financial Crimes Enforcement Network through Suspicious Activity Reports (SARs). Like banks, Governmental departments and agencies have a responsibility to safeguard sensitive information. Liability for a breach of governmental systems may be unfairly assigned to the community banks that submitted data to them, though they did so securely.