How a California law could force Congress's hand on data security
Could a California law aimed at halting data breaches force Congress to make progress on an issue that has plagued the financial services sector for years?
That’s one of the big questions hanging over the Credit Union National Association’s Governmental Affairs Conference, taking place this week in Washington. Thousands of credit union professionals are in the nation’s capital to hear from lawmakers and hold face-to-face meetings with their representatives, and industry advocates in many of those meetings will be pressing lawmakers to adopt a federal standard that covers both data privacy and data security.
The California Consumer Privacy Act follows in the footsteps of the European Union’s General Data Protection Regulation, and some observers predict the Golden State’s initiative could set the standard for data security.
“Both have potential to set a de facto national standard,” said Ryan Donovan, chief advocacy officer of the Credit Union National Association. He added that the California rule – which requires stringent data protections for any company doing business with a California resident – “may provide enough evidence for Congress to finally act.”
While credit unions have been sounding the alarm about data breaches since the Home Depot and Target hacks more than five years ago, the chorus calling for national standards grew louder in the wake of the Facebook-Cambridge Analytica scandal and the massive breach at Equifax. And while credit unions have spent years calling for lawmakers to hold merchants accountable for data breaches, some in the industry say legislators still aren’t doing enough on that front.
From a policy perspective, said Donovan, credit unions are searching for Congress to subject merchants accepting card payment methods to the same security standards credit unions, banks and other card issuers adhere to.
More than one third of Americans belong to a credit union, and industry groups frequently proclaim the movement’s significant sway with lawmakers, since every member of Congress has credit union members in their district. So why then hasn’t the industry been able to make any headway on this issue?
“There are some institutional issues in Congress that make it challenging to get legislation on this topic through,” explained Donovan. “Those institutional challenges start with the fact that a bill that would govern data privacy or data security is likely to get referred to at least three or maybe as six or seven committees in the House of Representatives, and probably a similar number in the Senate. And each of these committees have a focus which isn't always in alignment with the others.” And when CUNA-backed legislation has made it through one committee in the past, he added, it has sometimes been bogged down or ignored entirely by other committees.
Furthermore, noted Ray Walsh, a cybersecurity expert at BestVPN.com, the technology lobby has plenty of push in the halls of Congress. And Walsh noted that any federal bill backed by the tech industry to supersede California’s regulation would likely be a watered down one-size-fits-all policy.
“Now consider that CCPA is an already weakened version of the original legislation that privacy advocates were hoping to pass in California, and you begin to understand the problem we are facing,” he added.
Already a model in place?
With more than 40 million consumers, California is the world’s fifth largest economy, and some analysts have suggested that many organizations may comply with CCPA out of an abundance of caution. According to the Breach Level Index, more than 6.5 million records are stolen each day – a whopping 75 records per second. A report from the Identity Theft Resources Center found 1,244 different data breaches occurred in 2018 – a 23 percent decrease compared to the previous year, though the number of consumer records containing personally identifiable information was up by 126 percent. An estimated 14.7 billion records have been compromised since 2013, but despite efforts from credit unions, consumer groups and more, there is still no national standard in place.
“There needs to be a national data security standard for protection of personal and financial information because credit unions have to often times pick up the pieces for when their members are a victim of a data breach,” says Brad Thaler, VP of legislative affairs at the National Association of Federally-Insured Credit Unions.
According to Andrew Burt, a former cyber specialist at the FBI and now chief privacy officer and legal engineer at Immuta, a data science firm, the CCPA’s greatest impact lies in that it empowers consumers by helping them better understand how their data is used, traded or sold, and clears up previously murky waters in those fields.
Under CCPA, financial institutions and other organizations doing business in the state will face new compliance burdens on the data they collect from consumers, and will need strong data governance policies in place to ensure they understand that data. Among the requirements will be pseudonymization – in other words, a procedure making it more difficult to identify whose data belongs to whom if the data falls into the wrong hands.
NAFCU’s Thaler pointed out that the Gramm-Leach-Bliley Act could be a model for a national data standard in the way it requires financial institutions to disclose how they share and protect consumers’ private information. GLB was both scalable and designed to work for institutions of any size, and it created a flexible standard that could be exercised based on what type of data an institution works with.
The concept of a national data security standard has become so widespread it has even bled into some campaign platforms in the 2020 presidential race – most notably that of Sen. Elizabeth Warren.
Some analysts have suggested consumers have become so used to data breaches that security desensitization has set in, but Burt argues that the Cambridge Analytica scandal – which had nothing to do with banking – actually served as a catalyst to help consumers better understand the impact of data breaches.
"When it comes to digital products, we as a society have really embraced products and services that do not prioritize our privacy and do not prioritize our security,” Burt said.
“I think there's been some sense that the erosion of our privacy and the erosion of our security has been inevitable because we keep embracing these services and these products,” he added.
And that greater consciousness of the issue – along with rules in California and the EU – could help push Congress to finally act.
CCPA is the first law in the United States to effectively mimic GDPR, and though former California governor Jerry Brown signed the legislation into law in May, it won’t go into effect until Jan. 1, 2020, giving credit unions and other groups time to continue to press Congress on a national standard.
“Deadline and crisis are what motivate [Congress], so if the deadline isn’t enough the potential harm and disruption in the economy may be enough to get Congress to act," Donovan said.