Reconciling Competing Data Security Standards Applicable to Data Held by Retail Banks Operating in California in Light of Van Buren and TransUnion

Abstract

When operating in California, retail banks face competing, seemingly inconsistent, federal, state, and industry data security standards. The article describes what regulations prescribe data security standards for banks operating in California. It analyses private rights of action available in the event of a data breach, how such private rights may be affected by the Van Buren and TransUnion decisions, and what data security standards are set forth by each of the controlling regulatory regimes, as well as other industry standards which may inform the applicable standard of care regarding non-personal information. Finally, the article presents a position on how a California bank can reconcile the applicable security standards, and provides a suggestion for a data security benchmark for retail banks operating in California by positing that a ‘reasonable’ data security program is not only one based on assessment of risk and industry best practices, but is also reconcilable with the seemingly competing regulatory regimes applicable to banks operating in California.