New Bill Would Set Standard for Financial Data Security
A new bill introduced earlier this month, the Consumer Information Notification Requirement Act, would ensure customers of financial firms are protected in the event of a data breach but has drawn the ire of trade groups.
Making laws by nature, especially when it pertains to data breach legislation, tends to be a nebulous affair.
One of the latest to wend its ways through the halls of our nation's government would help set a new data security standard for the financial services industry if enacted however.
The bill, the Consumer Information Notification Requirement Act, would essentially amend the nearly two-decade-old Gramm-Leach-Bliley Act, legislation passed in 1999 that’s viewed in many circles as antiquated as it doesn't require notification of consumers of data breaches.
The legislation would require the insurance industry to adopt a set of new standards around data security. When it comes to safeguarding customer information the bill would hold companies to the same standards in previously published guidelines like the Comptroller of the Currency, the Board of Governors of the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision.
The bill wouldn't just hold banks to the standards, it would also apply to insurance providers, investment companies, securities brokers, and dealers.
The bill was introduced by Congressman Blaine Luetkemeyer (R-Mo.) earlier this month to coincide with the one-year anniversary of 2017's massive 145.5 million person Equifax breach.
Luetkemeyer, who chairs the House Financial Services subcommittee, said the goal of the bill is extend data security and notification standards to customers of all financial intuitions.
Like other data breach bills that have emerged in recent years - and there have been a lot - the bill would preempt state data security and breach notification laws already on the books.
One interesting element of the legislation - and one that's served as a point of contention over the last several weeks - has been the fact that it would also hinder states from implementing their own data security requirements.
The National Governors Association, a collective of governors from states, territories, and commonwealths within the U.S., came out against the bill in the days following its announcement. In a statement the special interest group said it was worried specifically about the idea that states would be prohibited from imposing their own consumer protection standards.
"This legislation would prohibit states from imposing or enforcing any strong consumer protection standards that go above and beyond federal standards, thereby inhibiting ongoing efforts by states to adopt data security laws and regulations that are in the best interest of consumers. For this reason, NGA urges the committee to oppose H.R. 6743," the group said last week.
A slew of other advocacy groups, like the Consumers Union, the Conference of State Bank Supervisors, U.S. PIRG, the Electronic Frontier Foundation, and the American Civil Liberties Union, also objected to the legislation.
Perhaps it’s not a surprise that Dave Jones, California's Insurance Commission, also sent a letter to members of the Committee of Financial Services objecting to the legislation as well.
The bill, HR 6743, would undermine legislation already on the books, according to Jones. The bill would require notifying consumers when a breach is "reasonably likely to result in identity theft, fraud, or economic loss." Currently California's law requires notification if data has "been acquired by an unauthorized person, irrespective of any subjective judgment as to whether such acquisition is 'reasonably likely' to result in theft, fraud or financial harm that may befall the consumer,” according to Jones.
If passed the bill could impact California's Data Privacy Protection Act, a landmark bill passed this summer by lawmakers that has needs some work before it goes into effect in 2020 but would give consumers the ability to ask what kind and how much data companies have on them and sue over data breaches.