Battle Over Cyber Bill Reveals Fissure Between States and D.C.

WASHINGTON — Among the many complexities standing in the way of data security legislation, now add to the mix disagreements between state and federal authorities over who is better equipped to oversee security standards.

Addressing a House proposal to create a national breach notification standard, a Massachusetts official warned lawmakers Wednesday that the bill — authorizing the Federal Trade Commission to enforce new data security rules — could water down consumer protections and trump state authority.

"We understand federal standardization is the thrust of this bill," said Sara Cable, assistant attorney general in Massachusetts, before the House Energy and Commerce subcommittee on commerce, manufacturing and trade. "We do, however, have serious concerns that the standards set by this bill are too low, preempt too much and hamstring the ability of my office and that of the other attorney general offices across the country to continue our important work of protecting our consumers."

The panel held one of two hearings Wednesday focused on data security. In the second hearing, before the House Oversight and Government Reform subcommittee on information technology, industry representatives urged Congress to protect companies from liability if they voluntarily share information on cyber threats.

Lawmakers have labored for years to try and move just one of the many legislative proposals floated on Capitol Hill to improve cybersecurity measures. Recently, the White House has also called for cybersecurity legislation, including provisions to better enable banks and other private sector companies to share information with the government about cyber threats.

The draft proposal discussed by the Energy and Commerce subcommittee would enable the FTC to create a national breach notification standard to take the place of common state laws.

Jessica Rich, director of the bureau of consumer protection at the FTC, told the panel that her agency has worked on data security issues since the 90s and therefore has the experience to oversee a new federal regime.

"As to jurisdiction... we should have jurisdiction in this bill," Rich said. "The FTC should have jurisdiction over carriers in this bill because we have brought so many cases in this area, we bring so much enforcement expertise to this issue."

Rep. Peter Welch, D-Vt., said the existing regulatory regime is too fractured, and therefore agencies like the FTC and Federal Communications Commission need a clearer mandate to oversee security standards.

"We don't have any legislative authority for the FTC or FCC to do much," Welch said. "We need to pass legislation that is going to deal with this incredible problem."

But others point out that state attorneys general still have an important role to play, and praise the current proposal for attempting to keep states in the mix.

"I have seen legislation when I was at the FTC that sometimes took state AGs entirely out of the business of the law and [the draft legislation does not] do that which I think is incredibly important," said Jonathan Leibowitz, a partner at Davis Polk & Wardwell LLP and former chairman of the FTC, in prepared testimony before the House subcommittee.

At the other hearing, trade groups including those representing the banking, retail and healthcare industries said they support legislation to share data with the government.However, they also want any new law to offer clear liability protection.

"We need clarity in terms of what that liability protection for... sharing information is and recognizing that proper privacy protections need to be in place and that data needs to be minimized," said Doug Johnson, senior vice president and chief advisor at the American Bankers Association. "But I think that would greatly enhance the ability for us to have more information sharing across sectors."

Industry groups also warned the Oversight and Government Reform panel about the risks of legislation that would require too much data sharing. They argued that some industries already struggle in having too process too much data, especially smaller companies that have fewer resources.

"We certainly are in favor of information-sharing but, again, if you don't have mature organizations you end up with bad data being shared which really doesn't help anybody," said Daniel Nutkis, chief executive of the Health Information Trust Alliance. "So what we're hoping is to get the controls in place and adopt those controls to force more mature organizations to more effectively share."

Meanwhile, a retail industry representative reiterated concerns that the frequency of banking-related breaches necessitate U.S. financial institutions adopting stronger card security features.

David French, senior vice president of the National Retail Federation, told lawmakers that banks have "three times more data breaches" than retailers.

"I do not cite these figures to criticize our colleagues in the banking industry but merely to illustrate the fact that the incidents of data breaches are proportionate to the relative value of information that can be stolen," French said. "Criminals seek high-value information and data thieves know that banks carry our most sensitive personal finical information, including not just card numbers, but bank account numbers, social security numbers and other identified data that can be used to steal identities beyond completing some fraudulent transaction."

French used the point to repeat calls on banks to switch to so-called chip-and-PIN cards like many European banks have already done.

"There's one single fact that banks and card networks must acknowledge: all decisions about card design and security are theirs alone. Retailers didn't forgo chip technology in the U.S. for almost two decades," French said. "And we didn't conceive of the complex, constantly and largely ineffective payment card industry and data security standards. But we have to live with the downstream costs of these decisions every day."