The increase in massive ransomware and cybersecurity breaches creates pressure for governments to protect the data of consumers. Data privacy legislation defines what information must be secured against loss due to a cybersecurity attack, and the consequences if there is a breach of consumer data. The credit union industry is no stranger to data privacy legislation, since all financial institutions are subject to securing member information through the Gramm-Leach-Bliley Act, or GLBA. However, some of these state laws expand the scope of the data that must be protected, and in some cases give the right for consumers to sue the organization if the data holder fails to meet the standards outlined in the law.
Several states are considering or have passed their own version of consumer data privacy legislation or enhancements to existing laws on the books. While only a few new laws have been enacted so far, there have been literally hundreds of bills that address privacy, cybersecurity, and data breaches introduced throughout the fifty states. This legislative activity closely mirrors the same process as state data breach notification regulations in the 2010s, where eventually all 50 states ended up passing data breach notification laws by 2018.
If the history of state data breach notifications is any guide, many if not all states will have some kind of data privacy legislation on their books by 2030. For credit unions and CUSOs, understanding the scope of applicable data privacy legislation and managing the risk accordingly will be important for both risk management and examination preparation.
Scope of legislation
There is some good news to begin with. Financial institutions will be exempt from compliance with any state data privacy legislation that conflicts with GLBA. Thus, the California Consumer Privacy Act has language specifically exempting “… personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations…”. The Constitution of the United States grants federal legislation supremacy over any conflicting state law. Therefore, consumer or member information obtained by a credit union as part of providing a financial product or service will be regulated by GLBA and not state law. Of course, credit unions and CUSOs still need to be compliant with GLBA when establishing or refining information technology controls around member information.
Examples of the type of information likely exempt from most data privacy statutes will be such items as IP addresses and information collected through cookies from consumers accessing account information in online and mobile banking, as well as consumer transaction information processed by the credit union. Information that would likely be covered under a data privacy statute includes personal information collected through marketing promotions.
For example, under the California Consumer Privacy Act (CCPA), email addresses are now considered personal information that must be protected. If a credit union collects email addresses as part of a promotion, a California resident not otherwise a member can request that their email information be deleted. The California resident has this right because the email address was obtained through a marketing promotion and not part of providing a financial product or service. Thus, credit unions and CUSOs should know the context in which information is provided can determine whether or not a state data privacy law applies. Information can be exempt because the credit union obtained the data in the context of providing a financial service; but the identical information might not be exempt if obtained in the context of a marketing campaign or promotion.
Private right of action
A “private right of action” in the context of data privacy legislation means consumers can sue organizations that violate the statute, including as part of troublesome and expensive class action lawsuits. In California, a data breach attributable to a failure to implement reasonable security procedures and practices appropriate to the nature of the personal information allows each consumer to recover of up to $750 per incident, or actual damages, whichever is greater. Plaintiff class action attorneys will certainly test this law, but on paper it would mean a business that did not implement reasonable security measures resulting in a breach affecting 20,000 consumers would potentially be liable for no less than $15,000,000 in damages.
An important note to remember, even if a statute does not grant a private right of action, consumers may be able to sue individually or as part of a class action under a different legal theory, such as negligence. Consumers may be able to show that violation of a state statute, even one that does not provide consumers with a legal remedy, can still be used to prove negligence under certain conditions. Therefore, credit union and CUSO compliance with state data privacy laws will still be important to avoid consumer lawsuits.
Current state data privacy laws summarized
| DATA PRIVACY LEGISLATION BY STATE | ||||
| STATE | TITLE | PURPOSE | PRIVATE RIGHT OF ACTION? | ATTORNEY GENERAL RIGHT TO ENFORCE? |
| CALIFORNIA | California Consumer Privacy Act | Expands privacy rights for California consumers, including: the right to know about the personal information a business collects about them and how it is used and shared; the right to delete personal information collected from them (with some exceptions); the right to opt-out of the sale of their personal information; and the right to non-discrimination for exercising their CCPA rights | YES | YES |
| CALIFORNIA | California Privacy Rights Act | Supersedes the CCPA and expands the definition of private information to include username and password information that would permit access to an online account | YES | YES |
| COLORADO | Colorado Privacy Act | For larger processors, expands the definition of sensitive information that must be protected and gives consumers additional rights to opt-out or correct personal information | NO | YES |
| CONNECTICUT | An Act Concerning Data Privacy Breaches | Expands the types of information that must be reported if breached, shortens the timeframe for reporting a breach, clarifies applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information” | N/A | N/A |
| CONNECTICUT | An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses | Establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards | N/A | N/A |
| VIRGINIA | Consumer Data Protection Act | Grants the right of Virginia citizens to opt-out of use of their data for advertising, and expands the sensitive consumer data that must be protected | NO | YES |
| STATE DATA PRIVACY LEGISLATION MAP | |
| State Data Privacy Legislation Passed (Yellow) | State Data Privacy Legislation Introduced (Purple) |
What about the United States Congress?
All state data privacy laws could be moot if the federal government passes comprehensive data privacy legislation. Multiple bills have been introduced in the U.S. Congress, including the Consumer Data Privacy and Security Act and the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act) that have sweeping data privacy language in the initial draft of the legislation. Some of the data privacy legislation under consideration by Congress that could affect credit unions and CUSOs include:
| DATA PRIVACY LEGISLATION UNDER REVIEW BY THE 117TH CONGRESS* | ||||
| CHAMBER | TITLE | PURPOSE | PRIVATE RIGHT OF ACTION? | WOULD PREEMPT STATE LAW? |
| BOTH | Fourth Amendment is Not For Sale Act | Prohibits law enforcement and intelligence agencies from obtaining subscriber or customer records in exchange for anything of value | N/A | N/A |
| HOUSE | Protecting Consumer Information Act of 2021 | To direct the Federal Trade Commission to review and potentially revise its standards for safeguarding customer information to ensure that such standards require certain consumer reporting agencies and service providers of such agencies to maintain sufficient safeguards against cyber-attacks and related threats, to provide for additional authority to enforce such standards with respect to such agencies and providers | N/A | N/A |
| HOUSE | Information Transparency and Personal Data Collection Act | To require the Federal Trade Commission to promulgate regulations related to sensitive personal information | NO | YES |
| HOUSE | Cybersecurity Vulnerability Remediation Act | To amend the Homeland Security Act of 2002 to provide for the remediation of cybersecurity vulnerabilities | N/A | N/A |
| SENATE | BROWSER Act of 2021 | This bill establishes information privacy protections that require broadband internet access services and certain websites or mobile applications to provide users with the ability to opt-in or opt-out of the using, disclosing, or accessing of their user information depending on the sensitivity of the information | NO | YES |
| SENATE | Mind Your Own Business Act of 2021 | This bill requires assessments, periodic reporting, and the development of an opt-out process for specified commercial entities that operate high-risk information systems or automated-decision systems, such as those that use artificial intelligence or machine learning | YES | NO |
| SENATE | Consumer Data Privacy and Security Act of 2021 | Consumers have the right to access, correct, and delete their data, and prohibits collection without consent | NO | YES |
| SENATE | Data Protection Act of 2021 | Establishes an independent federal “Data Protection Agency” to regulate the use of personal data | N/A | N/A |
| SENATE | SAFE DATA Act | Establishes comprehensive data privacy and data security protections for consumers in the United States | YES | NO |
* This is not a comprehensive list, as there are over 20 data privacy and related bills under consideration in the 117th Congress. The bills listed here are more likely than the others to affect the financial services industry if enacted.
However, as with a federal breach notification standard, Congress has not yet been able to pass uniform requirements for data privacy. For the immediate future, states are more likely to enact data privacy legislation than Congress, although the recent wave of nationally reported ransomware and other malicious cybersecurity incidents will increase pressure on Congress to act.
Data privacy is now, not later
Headline-grabbing cybersecurity events strongly pressure state governments to respond by introducing or enforcing data privacy legislation. Credit unions and CUSOs should understand if they are subject to a state’s data privacy legislation and modify security procedures and protocols as necessary. IT staff and risk managers should know what information is in-scope under state data privacy laws and, under what circumstances this information should be protected.
For example, consumer information otherwise exempt from state law if provided in conjunction with a financial product or service might not be exempt if this same information is obtained through a different context, such as a marketing promotion. Effort to protect information should be proportional to the risk, for example credit unions and CUSOs should consider the possible damages if consumers have a right to sue the organization in the event of a data breach.
