Could a California Law Force Congress’s Hand on Data Security?

Issue has plagued the financial services sector for years

The California Consumer Privacy Act follows in the footsteps of the European Union’s General Data Protection Regulation, and some observers predict the Golden State’s initiative could set the standard for data security.

While credit unions have been sounding the alarm about data breaches since the Home Depot and Target hacks more than five years ago, the chorus calling for national standards grew louder in the wake of the Facebook-Cambridge Analytica scandal and the massive breach at Equifax. And while credit unions have spent years calling for lawmakers to hold merchants accountable for data breaches, some in the industry say legislators still aren’t doing enough on that front.

From a policy perspective, credit unions are searching for Congress to subject merchants accepting card payment methods to the same security standards credit unions, banks and other card issuers adhere to.

More than one third of Americans belong to a credit union, and industry groups frequently proclaim the movement’s significant sway with lawmakers, since every member of Congress has credit union members in their district. 

With more than 40 million consumers, California is the world’s fifth largest economy, and some analysts have suggested that many organizations may comply with CCPA out of an abundance of caution. According to the Breach Level Index, more than 6.5 million records are stolen each day – a whopping 75 records per second. A report from the Identity Theft Resources Center found 1,244 different data breaches occurred in 2018 – a 23 percent decrease compared to the previous year, though the number of consumer records containing personally identifiable information was up by 126 percent. An estimated 14.7 billion records have been compromised since 2013, but despite efforts from credit unions, consumer groups and more, there is still no national standard in place.

Under CCPA, financial institutions and other organizations doing business in the state will face new compliance burdens on the data they collect from consumers and will need strong data governance policies in place to ensure they understand that data. Among the requirements will be pseudonymization – in other words, a procedure making it more difficult to identify whose data belongs to whom if the data falls into the wrong hands.