Financial Service Associations Petition for Data Breach Legislation
Financial services trade groups this week are pushing Congress to create a federal data breach notification standard.
A coalition of financial trade associations is urging two federal committees this week to expedite legislation around a national data security and breach notification requirement. The push comes amid a flurry of data breaches in general and months after a report said breaches affecting financial services firms have tripled over the past five years.
Five trade groups - the Credit Union National Association (CUNA), the American Bankers Association (ABA), the Consumer Bankers Association (CBA), the Independent Community Bankers of America (ICBA), and the National Association of Federally-Insured Credit Unions (NAFCU) – cosigned a letter to Bob Latta, the chairman for the Subcommittee on Digital Commerce and Consumer Protection, encouraging the group to move forward on legislation, on Tuesday.
In the eyes of the groups, it's essential the group, a subcommittee within the United States House Committee on Energy and Commerce, which works alongside the Financial Services Committee to shore up what they call an "inconsistent patchwork of state law.”
The systems overseen by the trade associations, obviously, are a complex web of sensitive data, including information belonging to consumers, retailers, financial institutions and so on, so it makes sense the groups are looking for a comprehensive, singular standard to safeguard that.
Specifically the groups are requesting legislation be enacted that mirrors the following ideas:
- A flexible, scalable standard equivalent to what is in the Gramm-Leach-Bliley Act (GLBA) for data protection that factors in (1) the size and complexity of an organization, (2) the cost of available tools to secure data, and (3) the sensitivity of the personal information an organization holds, as well as guarantees that small organizations are not burdened by excessive requirements.
- A notification regime equivalent to what is in the Gramm-Leach-Bliley Act (GLBA)requiring timely notice to impacted consumers, law enforcement, and applicableregulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm.
- Consistent, exclusive enforcement of the new data security and notification national standard by the Federal Trade Commission (FTC) and state Attorneys General, other than for entities subject to state insurance regulation or who comply with the Gramm-Leach Bliley Act or the Health Insurance Portability and Accountability Act of 1996/HITECH Act. For entities under its jurisdiction, the FTC should have the authority to impose penalties for violations of the new law.
- Clear preemption of the existing patchwork of often conflicting and contradictory state laws for all entities that follow this national data security and notification standard.
Under federal law the Gramm-Leach-Bliley Act requires financial services companies to explain their information sharing practices to customers and protect their private data.
The letter is the second that CUNA has signed off on to Latta over the last week. The first, sent by the trade association's CEO Jim Nussle on Friday, highlighted the mounting losses to financial institutions by merchant data breaches.
"This is an important step to limit the onslaught of breaches and reduce risks to consumers and the significant costs imposed on our members from breaches," Nussle wrote in support of legislation, "This standard should apply to all entities that handle sensitive personal and financial data in order to provide meaningful and consistent protection for consumers nationwide."
Fractured state data breach laws - including increasingly progressive legislation on the books in states like Colorado - have put the onus on credit unions to keep track of breaches like never before. The fact that these laws, state-by-state, change so frequently, has almost certainly raised the ire of financial services corporations, which are required to notify customers hit by breaches.
Ever since last fall's massive Equifax breach injected new life into data security and breach notification legislation, stakeholders have beat the drum for a federal breach notification standard. Latta (R-OH) has held a series of listening sessions around the concept this year but it's unclear if they've had much resonance with the representative.
One difficulty with getting data breach legislation passed of course is the fact that it would supersede any existing state law already on the books. With the sheer number of breaches of late the floodgates have opened however.
The U.S. Treasury echoed the sentiments of the trade groups on Tuesday as well, something which could pressure lawmakers. In a lengthy, 222-page blueprint (.PDF) for regulating financial technology, the department also called on Congress to enact a national data breach notification standard.