Taking on CU Issues: Mike Mercer, CEO of LSCU, speaks on Data Security and Privacy
This is part 2 of a 4-part series giving in-depth information on LSCU’s Hike the Hill event held Oct. 22-23.
Last week, the D.C. Hill Hikers had an agenda item to discuss that has been on the list for a long time … data security standards and data breach liabilities that would apply to merchants. Despite more stories from us about the costs of card reissue and loss exposures, we mostly heard that the private sector, not Congress, should find solutions (like chip technology). And, more telling, that representatives viewed this as another Merchants vs. Financial Institutions interchange-style feud …”We’re not getting on the tip of that spear!”
There may be a “backdoor.” During the course of the security discussions, another topic came up spontaneously, sometimes from credit union hikers but often from the Congressional folks themselves … Data Privacy. The concern: States are expected to enact their own data privacy standards in the absence of federal law/regulation. This, of course, leads to a compliance nightmare for any organization that is trying to “get it right.” Rs and Ds alike were sympathetic to the problems. The bad guys become the tech giants out west, not the merchants in their districts.
It turns out that the issue of data privacy rights has been addressed collaboratively across the entire Euro-zone. In 2016, the General Data Protection Regulation was adopted by the EU. In May of 2018, the rule went into effect. The new rule has two significant objectives; 1) protections for citizens … the use of their data and recourse if abused and 2) common obligations for data privacy and protection across all businesses. If you’d like to know more about this international trend-setting privacy/security rule, check out the official EU site … GDPR
In 2018, we heard that GDPR will never be adopted in the U.S. (home of Google, et al). But, state governments didn’t get the message. California took the first shot … it passed the Consumer Privacy Act. While it doesn’t deal with data security requirements, and it doesn’t apply to small firms, it is apparently setting the bar for legislative debates in other states. And, for large businesses, it has apparently become the de-facto standard for data privacy rights nationwide. Wikipedia provides an accessible summary if you’re interested … CA Consumer Privacy Act
Over the next couple of years, attention to data security and privacy will take place in D.C. and in all three of the LSCU state capitals. Credit unions should/will be involved in the evolution of public policy. Stay tuned!