Cybersecurity & Standards, Privacy & Data
CDT’s Samir Jain Testifies Before House Committee on Financial Services on Cyber Threats, Consumer Data, and the Financial System
On Wednesday, November 3, 2021, the Center for Democracy & Technology’s Samir Jain (Director of Policy) testified before the House Committee on Financial Services‘ Subcommittee on Consumer Protection and Financial Institutions.
Samir discussed “Cyber Threats, Consumer Data, and the Financial System,” and a portion of his testimony is pasted below.
***
On behalf of the Center for Democracy & Technology (CDT), thank you for the opportunity to testify about cyber threats and consumer data in the financial system. CDT is a nonpartisan, nonprofit 501(c)(3) charitable organization dedicated to advancing civil rights and civil liberties in the digital world. For over 25 years, CDT has championed policies, laws, and technical designs that empower individuals and communities to use technology for good – while protecting against invasive, discriminatory, and exploitative uses. CDT works to promote privacy, security, and other human rights online by holding governments and companies accountable for the ways they shape our online environment. CDT has offices in Washington, D.C., and Brussels, and has a diverse funding portfolio from foundation grants, corporate donations, and individual donations.
In my statement, I will make some observations about the cyber threat environment, highlight three of the challenges we face in addressing these threats, particularly in the financial services sector, and discuss several potential areas in which we can and should make progress to better protect consumers and their data.
…
The time has come for Congress to enact comprehensive federal privacy legislation that, particularly for sensitive information such as consumer financial data, shifts the burden away from consumers and imposes obligations on the entities that collect, use, and share data. We all know that consumers rarely read online privacy policies and that “notice and consent” therefore largely rests on a fiction. This model encourages companies to write permissive privacy policies and entice users to agree to data collection and use by checking (or not unchecking) a box. The sheer number of privacy policies, notices, and settings or opt-outs individuals have to navigate means that this model fails to provide adequate protection.
Privacy legislation should, among other things, require an entity to minimize the data it collects and processes based on the purpose for which the entity needs data (e.g., to provide a product or service requested by a consumer); prohibit unfair data practices, particularly the repurposing or secondary use or sharing of sensitive data without the express, opt-in consent of the consumer; and include data security requirements.
Each of these steps will lower the risk to consumers from cyber attacks by reducing the amount of sensitive data that will be collected, stored, and shared, and ensuring that whatever data is collected is handled with appropriate care. Moreover, by providing a baseline that applies to all companies, comprehensive federal privacy legislation will avoid the situation we have today in which the same consumer data may receive some protection if processed by one company (such as a “financial institution” under GLBA), but less protection if processed by another.
