Mitigating Risk and Maintaining Compliance in Evolving Privacy Landscape
November 30, 2021
Editor’s note: NWCUA’s 2021 Legal Symposium is sponsored by Miller Nash, a nationally recognized industry-focused law firm with offices in Oregon, Washington, California, and Alaska.
The following article is written by Leila Javanshir, a business attorney with Miller Nash and certified information privacy professional (CIPP-US) who focuses on matters involving privacy, data security, vendor contracting, intellectual property, and regulatory compliance for clients who operate in a variety of industries, including financial institutions. Javanshir will speak at the Legal Symposium on Dec. 2.
Since the introduction of the General Data Protection Regulation (“GDPR”) in 2018, the United States has seen a significant influx in state-by-state legislation regarding consumer privacy and data security.
The patchwork of laws across the country has made it difficult for financial institutions and other businesses to keep up with compliance. Due to the vast amount of sensitive data credit unions collect, store, and share with their vendors, credit unions are keeping new and emerging privacy legislation top of mind.
California, Virginia, and Colorado have all passed comprehensive privacy laws. While Virginia’s and Colorado’s laws, (both effective in 2023) wholly exempt entities subject to the Gramm-Leach-Bliley Act (“GLBA”), California’s law does not. Instead, the California Consumer Protection Act (“CCPA”) only exempts personal information that is collected pursuant to the GLBA. Due to the narrow scope of the GLBA, there is an array of personal information collected by credit unions that would fall outside the scope of the GLBA but remain within the scope of the CCPA.
These types of nuances are critical for credit unions to pay attention to as privacy legislation continues to develop across the country. In 2021, at least 22 states have introduced a comprehensive data privacy bill, and we expect to see many more laws on the map in the near future.
Protecting Member Data and Mitigating Risk
With privacy legislation on the rise, and as the consequences for failing to properly secure data become even more significant, credit unions must thoroughly review vendor contracts with their legal obligations in mind. Vendor weaknesses pose one of the biggest threats to credit unions and their obligation to safeguard member data.
It is critical that credit unions have a deep understanding of what kind of data their vendors will have access to, what they are permitted to do with that data, and what kind of security measures they have in place to protect that data. Having a comprehensive system in place to vet all vendors (especially vendors that will have access to member data) is an important step to avoid security pitfalls.
As privacy legislation continues to evolve across the country, credit unions should continue to monitor their legal obligations for protecting member data to maintain compliance and reduce risk.
Learn more about data privacy and risk mitigation at the 2021 Legal Symposium on Thursday, Dec. 2, from 9 a.m. to 2 p.m. PST (10 a.m. to 3 p.m. MST). Register today!
Disclaimer: This article is not legal advice. It is provided solely for informational and educational purposes and does not fully address the complexity of the issues or steps that businesses must take under applicable laws.