In the last month, the House Financial Services Committee’s Financial Institutions and Consumer Credit Subcommittee held two hearings on data security, the second specifically addressing legislative proposals the subcommittee is considering.
The first hearing, held Feb. 14, was to discuss the current data security and breach notification regulatory regime. The hearing examined opportunities to reform current federal and state data security regulatory regimes to close any gaps in data security and data breach regulation, and reduce vulnerabilities and shortcomings in the system.
Subcommitee Chairman Blaine Luetkemeyer (R-Mo.) began that hearing by stating, “This is a vastly complex issue that impacts nearly every business in this nation. But our primary focus throughout this endeavor should be the consumer. Can we create a system that puts them first? How can we safeguard their data without overburdening the entities that they patronize? When is the right time to notify them that a breach may have occurred?
“Bottom line is that we, the American people, deserve better than the status quo. All entities that handle our personal information have some responsibility to maintain data security standards that protect our information and to keep us better informed of instances that could lead to theft, fraud or economic loss. We have the right to this information so we can be empowered to protect ourselves,” he said.
Nathan D. Taylor, partner, Morrison & Foerster LLP, described the current landscape of state laws as “a complex matrix of inconsistent, sometimes duplicative and often contradictory requirements.”
“With respect to state safeguards laws specifically, today only 15 states have laws in effect that impose general requirements on all companies to protect the security of sensitive personal information,” he said. “Most of these safeguards laws impose only a high level obligation to take reasonable steps to protect sensitive information. Only a few include detailed security requirements, and those are often modeled on the safeguards rule issued by the Federal Trade Commission pursuant to the Gramm-Leach-Bliley Act.
“In contrast, however, today, 35 states do not have generally applicable laws that require all companies to protect sensitive personal information,” Taylor continued. “If you are an American, where you live should not impact whether there’s a legal obligation to protect sensitive information about you. In my view, this point is not controversial. We need a national standard for security to ensure that all Americans are protected while also leveling the playing field for American businesses.”
Summit Credit Union President and CEO Kim Sponem, on behalf of the Credit Union National Association, noted that credit unions and banks are subject to data security requirements, but that other entities that hold personal information are not held to those standards.
“Companies that do not need to store personal information should either not store it or be subject to the standard. Companies should not be allowed to put consumers at undue risk,” Sponem stated. “And communicating a data breach in a timely manner allows consumers and financial institutions the ability to try to reduce possible losses with early detection and awareness. The current system is not fair or sustainable. Consumers are protected from losses because financial institutions bear the responsibility for reimbursing them. Those that are negligent should bear the cost. Protecting data is expensive and it’s labor-intensive. But a company that stores information needs to invest in these protections for consumers as a cost of doing business, or not store the information at all.”
Aaron Cooper, vice president, Global Policy, BSA – The Software Alliance, told the committee that only Congress can ensure that there is a uniform and effective federal standard. He outlined three goals for any legislation put forth by the committee.
“First, legislation should minimize the risk of data breaches. It should require companies that collect or maintain sensitive personal information to implement reasonable data security practices. The practices should be scoped in size to the complexity, sensitivity and volume of personal information on a company’s systems. Second, legislation should mitigate the impact of breaches that do occur. Legislation should ensure that consumers receive timely and meaningful notification based on a risk-based analysis. Third, legislation should create uniformity. We currently have a thicket of 48 different state data breach notification standards. The variations between the state laws are not trivial and it’s unhelpful in the wake of a breach of personal information to have a company working with a team of lawyers to understand what requirements must be met in each jurisdiction before notifying customers of the breach.”
“In conclusion, there’s a lot that Congress can do to improve the situation for both businesses and consumers,” Cooper said. “Well-crafted legislation can facilitate rapid and robust responses to significant security incidents. And federal guidance on data security will drive stronger security measures across the Internet ecosystem.”
During the second hearing, held March 7, the committee discussed two legislative proposals, the “Data Acquisition and Technology Accountability and Security Act” and the “Promoting Responsible Oversight of Transaction and Examinations of Credit Technology (PROTECT) Act of 2017.” These bills – sponsored by Reps. Blaine Luetkemeyer (R-Mo.) and Patrick McHenry (R-N.C.), respectively – would reform the current data security and breach notification regulatory regime, as well as reform standards for large consumer reporting agencies.
The Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act was introduced Oct. 12, 2017 and amends the Federal Financial Institutions Examination Council Act of 1978 to require supervision and examination of large consumer reporting agencies regarding cybersecurity measures.
It “also amends the Fair Credit Reporting Act (FCRA) to allow consumers to request that a consumer reporting agency place a security freeze on their reports, and includes provisions for fees and exceptions from such fees. This legislation also amends the FCRA to prohibit the use by consumer reporting agencies of a consumer’s Social Security number in a consumer report or as a method to identify the consumer after Jan. 1, 2020.”
The yet-to-be-introduced Data Acquisition and Technology Accountability and Security Act “would establish a national data security standard and a national data breach notification standard with a federal enforcement mechanism overseen by the Federal Trade Commission. The draft would replace the current patchwork of state and federal regulations for data breaches with a national law that provides uniform protections. This draft establishes a technology-neutral ‘reasonableness’ standard for data security. The standards would be flexible and commensurate to the covered entity’s size and complexity, activities, sensitivity of the information it maintains, and the cost of available protections. Additionally, the draft includes requirements for consumer and law enforcement notifications if there has been an occurrence of a breach of data security that contains personal information.”
Witnesses had several things to say at the hearing.
“Consumers today benefit from a democratic, accurate and fair credit system. Individual consumers have the liberty to access credit anywhere in the country from a wide variety of lenders based solely on their own personal history of handling credit. Families buying a home for the first-time access mortgage products that suit their individual needs and capabilities. Young people who have new jobs in a new city can go to an auto dealer and drive away with a financed car even without any history in that community. With the rise of the Internet, new credit opportunities have expanded even further to meet individual needs,” Francis Creighton, president and CEO, Consumer Data Industry Association.
“[T]he reality facing organizations today is they must race to keep up with increasingly sophisticated and well-resourced hackers – ranging from criminals to nation-states – who are scheming to stay one step ahead of their victims. Unfortunately, the percentages do not favor the defenders, who must be successful every time to avoid a breach. Instead, the odds favor the attackers, who only need to be successful once to execute a successful breach. And when a breach of sensitive personally identifiable information (PII) occurs, we believe there should be a streamlined and uniform process to notify consumers in cases where there is a significant risk of identity theft, financial harm, or material economic loss,” said John S. Miller, vice president, Global Policy and Law, Information Technology Industry Council.
“Data breach and payment security issues are fundamentally about protecting consumers. Every American business that handles sensitive financial information should have an innate motivation to protect it, if for no other reason than maintaining the trust and continued business of their customers,” said Jason Kratovil, vice president, Financial Services Roundtable.