Can this data security bill succeed where others failed?
WASHINGTON — On top of everything else Congress is trying to do during a packed legislative calendar, two lawmakers want to add another financial services policy initiative to the list: data security.
Modernizing data security laws has confounded Washington for years, and the gap in clear data security requirements is made more noticeable by the steady drip of breaches, including the massive Equifax hack announced in September.
A bipartisan draft bill released Friday by Reps. Blaine Luetkemeyer, R-Mo., and Carolyn Maloney, D-N.Y., which would implement nationwide standards on breach notifications and how data is handled and stored, looks to pick up where past efforts have failed.
But jurisdictional turf battles between congressional committees have befuddled past efforts and it’s not clear if the renewed effort will be any more successful.
“Historically they have not been able to bridge that gap between the committees of jurisdiction and that is why” Congress has not been able to pass a bill, Jason Kratovil, vice president of government affairs at the Financial Services Roundtable, said in an interview.
The bill builds on a 2015 piece of legislation put forward by former Reps. Randy Neugebauer, R-Texas, and John Carney, D-Del., requiring businesses to have a breach notification program, designate a person to be in charge of data security and have boards review a company's data security program annually.
The new bill looks to implement a national data security standard that the Federal Trade Commission would enforce. However, financial institutions and healthcare companies that already have data security requirements would be considered in compliance. The bill would establish a new breach notification regime and federal security standards on the handling of personal information.
Yet Luetkemeyer and Maloney's effort follows a string of recent legislative attempts to clarify and improve data security requirements. Before now, disagreement over which committee should oversee legislative efforts has stalled progress.
The two House members sit on the Financial Services Committee — with Luetkemeyer chairing the financial institutions subcommittee — but other committees have claimed jurisdictional authority. For instance, the Energy and Commerce Committee has also produced legislation in the past, but it too stalled. The House Judiciary Committee has also claimed a role.
To be sure, however, the desire among several parties to enact a consistent set of data industry standards has not dissipated, and the high-profile breaches at Equifax, other large companies and government have heightened attention on the issue.
“This is one of our top priorities, it is something that our members are being impacted by — horrific data breaches,” said Brad Thaler, vice president of legislative affairs at the National Association of Federally-Insured Credit Unions.
Other pending bills from different corners of Congress remain in the mix. Last November, Sen. Patrick Leahy, D-Vt., introduced the Consumer Privacy Protection Act of 2017 in the Senate Judiciary Committee. Sen. Elizabeth Warren, D-Mass., recently introduced a bill that would give the FTC rule-writing authority to set cybersecurity standards.
Kratovil said some new faces leading the legislative effort could try to resolve the jurisdictional issues, while the recent breaches keep the issue of data security fresh in lawmakers' minds.
“Whether it is recent data breaches or different personalities in Congress … all we can do is hope," he said. "But it is too early to know whether that [it] is going to be the case going forward” that the latest bill is successful.
While financial institutions are regulated by the Gramm-Leach-Bliley Act, which requires them to have a data breach program, many other businesses operate with less stringent requirements and would be directly covered by the Luetkemeyer-Maloney bill. But nonbanks appear to be backing the legislative effort.
“Congress has an important role to play in developing a national strategy to combat cybercrime, and we appreciate the subcommittee taking the first step on an issue RILA has been leading the effort to resolve,” Nicholas Ahrens, vice president of privacy and cybersecurity at the Retail Industry Leaders Association, said in an emailed statement. However, the retail association said it wasn’t ready to support the Luetkemeyer-Maloney bill.
But others contend that a federal requirement superseding states with tough requirements could put more consumers at risk.
“I think it would be better not to preempt state laws that currently provide strong protections to consumers,” said Marc Rotenberg, president of the Electronic Privacy Information Center, during a recent hearing before Luetkemeyer's subcommittee. “I think there is a very real risk in fact that if you pass a national standard that is weaker than what many of the states currently provide you will see an increase in the levels of identity theft and financial fraud in the United States.”
Rep. Maxine Waters, D-Calif., said during the hearing that she fears adopting a national standard could weaken requirements.
“My concern," she said, "is that when you start to talk about national standards … and you have to basically come [up] with a consensus … that the national standard is a race to the bottom.”
But the new bill appears to support a stronger national standard than previous proposals, such as the Neugebauer legislation in 2015.
“If you build in statute a strong enough standard, maybe then you don’t have to call for any rules to be written and just allow the enforcement mechanism to play out going forward,” Kratovil said.
For example, he pointed to a section of the bill that calls for a company to “immediately notify without unreasonable delay” those affected by breach.
“It is that 'immediate' word that will probably raise eyebrows,” he said.