Privacy advocates are urging Congress to make major changes to the security and privacy guidance given to financial companies, and make breach notifications mandatory.
In a statement sent to the leaders of the Senate Committee on Banking, Housing, and Urban Development the Electronic Privacy Information Center asked the committee to adjust the rules governing the way that financial services and financial technology companies handle customer data. The committee held a hearing on fintech issues yesterday, and EPIC officials said now is the time to reexamine the way these companies deal with security and privacy concerns.
“The serious threat that hacks and data breaches pose to the consumer information held by financial institutions cannot be overstated. Fintech and all companies in the financial services industry should be subject to strict privacy rules to protect consumers. Current rules and regulations for financial services companies should be revised so that they are mandatory, not merely guidance, and require consumers to be informed in the event of a data breach,” EPIC said in the letter sent to committee leaders.
The security and privacy of consumer financial data has been a concern for many years, but it’s come into sharper focus recently. While many states have individual data breach notification laws, there is no national law requiring companies to notify consumers in the event of a data breach. EPIC is urging Congress to pass a measure that would require financial and fintech companies to notify customers after a breach. There have been many efforts in the past to pass a national breach notification law, but none has succeeded.
Experts also are asking Congress to extend privacy regulations to fintech and other similar companies.
Privacy protections in other areas of the law can and should be extended to cover the consumer data now fueling fintech underwriting. The Health Insurance Portability and Accountability Act, or HIPAA, obliges doctors and hospitals to give patients access to their records. The Fair Credit Reporting Act gives loan and job applicants, among others, a right to access, correct and annotate files maintained by credit reporting agencies,” Frank Pasquale, professor of law at the University of Maryland, said in prepared testimony before the Senate committee Tuesday.
“It is time to modernize these laws by applying them to all companies that peddle sensitive personal information. If the laws cover only a narrow range of entities, they may as well be dead letters. For example, protections in HIPAA don’t govern the “health profiles” that are compiled and traded by data brokers or fintech firms, which can learn a great deal about our health even without access to medical records.”