Specifically the groups are requesting legislation be enacted that mirrors the following ideas:

• A flexible, scalable standard equivalent to what is in the Gramm-Leach-Bliley Act (GLBA) for data protection that factors in (1) the size and complexity of an organization, (2) the cost of available tools to secure data, and (3) the sensitivity of the personal information an organization holds, as well as guarantees that small organizations are not burdened by excessive requirements.
• A notification regime equivalent to what is in the Gramm-Leach-Bliley Act (GLBA)requiring timely notice to impacted consumers, law enforcement, and applicableregulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm.
• Consistent, exclusive enforcement of the new data security and notification national standard by the Federal Trade Commission (FTC) and state Attorneys General, other than for entities subject to state insurance regulation or who comply with the Gramm-Leach Bliley Act or the Health Insurance Portability and Accountability Act of 1996/HITECH Act. For entities under its jurisdiction, the FTC should have the authority to impose penalties for violations of the new law.
• Clear preemption of the existing patchwork of often conflicting and contradictory state laws for all entities that follow this national data security and notification standard.

Under federal law the Gramm-Leach-Bliley Act requires financial services companies to explain their information sharing practices to customers and protect their private data.

The letter is the second that CUNA has signed off on to Latta over the last week. The first, sent by the trade association's CEO Jim Nussle on Friday, highlighted the mounting losses to financial institutions by merchant data breaches.

"This is an important step to limit the onslaught of breaches and reduce risks to consumers and the significant costs imposed on our members from breaches," Nussle wrote in support of legislation, "This standard should apply to all entities that handle sensitive personal and financial data in order to provide meaningful and consistent protection for consumers nationwide."

Fractured state data breach laws - including increasingly progressive legislation on the books in states like Colorado - have put the onus on credit unions to keep track of breaches like never before. The fact that these laws, state-by-state, change so frequently, has almost certainly raised the ire of financial services corporations, which are required to notify customers hit by breaches.

Ever since last fall's massive Equifax breach injected new life into data security and breach notification legislation, stakeholders have beat the drum for a federal breach notification standard. Latta (R-OH) has held a series of listening sessions around the concept this year but it's unclear if they've had much resonance with the representative.

One difficulty with getting data breach legislation passed of course is the fact that it would supersede any existing state law already on the books. With the sheer number of breaches of late the floodgates have opened however.

The U.S. Treasury echoed the sentiments of the trade groups on Tuesday as well, something which could pressure lawmakers. In a lengthy, 222-page blueprint (.PDF) for regulating financial technology, the department also called on Congress to enact a national data breach notification standard.