ICBA calls for national data privacy standard

All industries in the U.S. should be held to the same data privacy standards as the nation's financial institutions, Jeremy Dalpiaz, vice president of cyber and data security policy for the Independent Community Bankers of America, told Banking Dive.

In response to a request for information on consumer privacy, the ICBA submitted a comment letter to the Senate Committee on Banking, Housing and Urban Affairs in March, outlining what community banks are required to do by statute and regulation under the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act.

"No matter the size of the institution, whether you're JPMorgan Chase or the small community bank of $100 million, you're all subject to the same requirements under GLBA," Dalpiaz said.

Financial institutions in the U.S. have been required to comply with GLBA since 1999. The law requires financial institutions to disclose their information-sharing practices to their customers and to safeguard sensitive data.

In its letter, the ICBA also called for legislation that would enforce a set of national data privacy standards for all industries, not just banks.

"Community banks and other financial institutions are required by statute and regulation to safeguard personally identifiable information," the letter states. "To ensure consumers receive enhanced protection of their personal information, all entities that handle personal information should be required to safeguard this information, in a manner comparable to financial institutions."

The American Bankers Association also submitted a comment letter, in which it said the GLBA should be considered "a tried-and-true model for transparency" for purposes of federal privacy legislation.

"While ABA supports legislation to put in place a national privacy standard, that standard must recognize the strong privacy and data security standards that are already in place for the financial sector under the GLBA and other financial privacy laws and avoid provisions that duplicate or are inconsistent with those laws," the ABA said in its letter.

The European Union enacted its General Data Protection Regulation in May 2018, which protects EU citizens' data by requiring companies to report breaches to the appropriate authorities within 72 hours of discovery.

Equifax's 2017 data breach is also back in the national conversation, after the company said Monday it would pay a $700 million settlement.

Dalpiaz said the ICBA would like to see the implementation of a national notification standard rather than a patchwork of state laws when it comes to privacy regulations.

After the nation's most populous state passed the California Consumer Privacy Act last year, 25 states introduced similar bills addressing data privacy, according to the National Conference of State Legislatures.

Should states begin to enact their own data privacy laws, Dalpiaz said it would create hurdles for banks that serve two or three different states or that border certain states.

"Community banks are built on trust relationships," Dalpiaz said. "At the core of that trust relationship is protecting the information of the consumer. And protecting the assets of the consumer, essentially, is what it boils down to. If the bank doesn't do that, they lose trust and the core of what they do."