WASHINGTON — Financial institutions and retail companies are trading barbs over which industry poses greater risk to sensitive customer information just as lawmakers are planning to take another stab at a data security bill.
Bank and credit union trade associations sent a letter to House lawmakers on Wednesday supporting a data security proposal being put forward by Reps. Blaine Luetkemeyer, R-Mo., and Carolyn Maloney, D-N.Y.
“The goal of the bill is simple — raise the bar so that all companies protect data similar to how banks and credit unions protect their data, and create a common-sense standard to ensure consumers receive timely notice when a breach does occur,” said the letter, signed by seven financial trade associations.
Banks and credit unions argue that they are already held to a higher data security standard by their prudential regulators, while other businesses that hold valuable data are less incentivized to protect it.
Rep. Brad Sherman, D-Calif., who has co-sponsored data security bills in the past, told a conference of the Credit Union National Association meeting in Washington on Wednesday that he aims to get a bill over the finish line “this year.”
“It is time to impose on those retailers and others who are holding the data the same kind of standards that apply to you,” said Sherman, who serves on the House Financial Services Committee along with Luetkemeyer and Maloney.
“It makes sense to put the cost of security breaches on those who are best in position to prevent the security breach,” said Sherman.
However, retailers are pushing back against the idea of carving out financial companies and healthcare providers — which are both subject to separate data security standards — from a new set of federal standards. The Luetkemeyer-Maloney includes such an exemption.
A Feb. 23 blog post by the National Retail Federation cited a 2017 Verizon report that found nearly 25% of breaches occur at financial institutions and said that a data security bill shouldn’t give them “special treatment” and preempt state law.
“Not only do they want a way around state laws, they want to be exempted from any federal disclosure requirements,” said the blog post. “In other words, they want zero accountability for their breaches.”
But the letter from the financial trades said financial companies are already subject to "rigorous" data security standards.
“Contrary to statements made recently by some retailer groups, banks and credit unions have long been subject to regulatory mandates that set rigorous data protection and breach notification practices for financial institutions to follow,” said the letter. “In fact, federal regulators describe these notification obligations as ‘an affirmative duty’ for which compliance is demanded, and are considered to be an element of fundamental Safety and Soundness for the overall banking system.”
Signing the letter were the American Bankers Association, Consumer Bankers Association, Credit Union National Association, Financial Services Roundtable, Independent Community Bankers of America, National Association of Federally-Insured Credit Unions and The Clearing House Association.