State laws continue to add to regulatory burden, as public concern over cybersecurity remains high.
For the third consecutive year, a 2021 survey of U.S. financial institutions by Wolters Kluwer Compliance Solutions showed greater pessimism about seeing regulatory relief within the next two years. Issues related to data security and privacy remain a central concern, with cybersecurity the top risk management priority for 2022 cited by 70% of the credit unions and banks surveyed.
Overall compliance risk (tied with credit risk) was the second-highest priority, according to 43% of the respondents. An attorney who specializes in credit union regulatory compliance, Michael S. Edwards, Upper Marlboro, Maryland, says data security and privacy regulations have become more of a burden because so many states are enacting their own laws.
“There’s a lot of public concern about cybersecurity, and that’s part of why you’re seeing all this state-level legislation,” Edwards says. He points out that many proposed state laws go beyond the regulations stemming from the Gramm-Leach-Bliley Act of 1999, which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
Some of the state laws have carve-outs—specific exceptions—for institutions that follow the Gramm-Leach-Bliley Act’s privacy regs—as CUs must do. But other state rules have only a partial carve-out or no carve-out at all. So, when state laws pass, credit unions must undertake the potentially daunting task of figuring out which of the many rules apply, Edwards explains.
Under the U.S. Constitution, Edwards says, states only have jurisdiction if a credit union has enough business contacts in the state to show that it’s intentionally trying to do business there. But often what constitutes “enough” business contacts is determined on a sliding scale, so it’s still kind of a gray area.
“It’s the complexity of this and the lack of uniformity that makes it a compliance challenge,” he says.
Multiple State Laws Complicate Compliance
Edwards has found that almost half of the states have proposed laws that contain data protection or data breach notification requirements, including Arkansas, California, Connecticut, Delaware, Hawaii, Indiana, Illinois, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Oregon, Texas, Utah and Virginia. He recommends that credit unions check with their own counsel about the specifics for the state or states in which they operate.
The California Consumer Protection Act has gotten the most publicity, but the state has provided a fairly broad exemption for organizations like credit unions that follow Gramm-Leach-Bliley. Massachusetts and New York, on the other hand, have added some regulations not included in Gramm-Leach-Bliley relating to breach notification.
Adding to the complexity, some states have passed more than one data protection and breach notification law. For example, Edwards says, California has passed at least six different bills that together create the current regs for data protection and breach notification in the state.
The Potential for Better Uniformity
Edwards hopes state-level data security and privacy laws will eventually morph into a uniform federal standard, which is basically what happened in creating the Uniform Commercial Code. The UCC, first published in 1952, harmonized many state rules relating to commercial transactions. The UCC isn’t a federal law, but it has been uniformly adopted by states.
Edwards hopes privacy regulations will likewise become more uniform over time. But what should credit unions do in the meantime?
“Tailoring privacy policies so they’re as broad as possible is a good way to future-proof things,” Edwards suggests. He recommends to his credit union clients that they look to enact policies that comply with certain standards that almost all state laws include.
Keeping Tabs on Your CU’s Status
Edwards also likes the FFIEC Cybersecurity Assessment Tool. Credit unions can use it to get a clearer picture of its situation and to develop strategies for protecting data from fraud and other threats.
To help you use the FFIEC tool, NCUA has launched a downloadable Automated Cybersecurity Evaluation Toolbox. ACET mirrors the FFIEC’s assessment tool, and the NCUA’s download page includes a video to help you with the setup. “Using the assessment within the toolbox allows institutions of all sizes to easily determine and measure their own cybersecurity preparedness over time,” according to the NCUA website.
“You have to have good cyber hygiene,” Edwards says. “The FFIEC Cybersecurity Assessment Tool is a fairly comprehensive way to figure out where your CU is with cybersecurity sophistication. It’s not as important to focus on what grade you get, A, B, C, as it is to use that tool to analyze how sophisticated your cybersecurity tool is compared with how sophisticated your operation is.”