On Compliance: The devil’s in determining which data security and privacy rules apply

State laws continue to add to regulatory burden, as public concern over cybersecurity remains high.

For the third consecutive year, a 2021 survey of U.S. financial institutions by Wolters Kluwer Compliance Solutions showed greater pessimism about seeing regulatory relief within the next two years. Issues related to data security and privacy remain a central concern, with cybersecurity the top risk management priority for 2022 cited by 70% of the credit unions and banks surveyed.

Overall compliance risk (tied with credit risk) was the second-highest priority, according to 43% of the respondents. An attorney who specializes in credit union regulatory compliance, Michael S. Edwards, Upper Marlboro, Maryland, says data security and privacy regulations have become more of a burden because so many states are enacting their own laws.

“There’s a lot of public concern about cybersecurity, and that’s part of why you’re seeing all this state-level legislation,” Edwards says. He points out that many proposed state laws go beyond the regulations stemming from the Gramm-Leach-Bliley Act of 1999, which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.

Some of the state laws have carve-outs—specific exceptions—for institutions that follow the Gramm-Leach-Bliley Act’s privacy regs—as CUs must do. But other state rules have only a partial carve-out or no carve-out at all. So, when state laws pass, credit unions must undertake the potentially daunting task of figuring out which of the many rules apply, Edwards explains.


continue reading »