As lawmakers consider legislation on data privacy, they should amend a 1999 law that established privacy requirements for financial institutions to better reflect the modern financial services ecosystem, the American Bankers Association and four banking and credit union associations said today.
In July, the House Financial Services Committee requested public feedback on current federal data privacy law for financial institutions and possible legislative changes to existing regulations. The Gramm-Leach-Bliley Act is the main vehicle regulating data privacy at financial institutions, and in a joint letter to the committee, the associations said the law is “a carefully calibrated regime designed to avoid interference with core financial activities that benefit consumers.”
The associations highlighted what is worth preserving in the GBLA while offering possible improvements. Among their recommendations:
- The GLBA should clearly preempt state privacy laws, and any entities subject to its provisions must be exempt from any comprehensive federal consumer privacy laws in order to avoid interference with the GLBA.
- The GLBA should continue to be enforced by federal regulators rather than through private litigation.
- The GLBA should be amended to create a more consistent regulatory playing field among traditional and novel financial institutions as well as other entities operating in the financial ecosystem.
- The GLBA should be amended to include a safe harbor for the sharing of information regarding fraud and scams.
- The GLBA should be harmonized with Section 1033 of the Dodd-Frank Act as appropriate, including to apportion liability for when consumer-permissioned data sharing results in a data breach, as well as part of the data subject rights issue.
In addition, the associations recommended that lawmakers reconsider national data breach standards: “In addition to federal data breach notification requirements, complying with 50 inconsistent state data breach notification requirements plus the District of Columbia and other territories is overly burdensome on financial institutions and provides little if any value for consumers, as notice to impacted customers is already covered by GLBA.”
