If Congress doesn’t take the lead on protecting consumers from data breaches, states are more than ready to offer their own fixes.
Legislative sessions will kick off in dozens of states this month, and in many of them, lawmakers are expected to introduce bills that would mandate free credit freezes for consumers affected by data breaches and impose strict punishments on firms that are hacked and fail to notify consumers in a timely manner.
In the wake of the hack at Equifax that compromised the personal data of some 145 million Americans, the American Bankers Association estimates that legislation toughening laws around data breaches will be introduced in at least half of all states this year. In North Carolina, for example, Attorney General Josh Stein, along with state Rep. Jason Saine, recently announced their intent to file a bill that, among other things, would require firms that are victims of breaches to notify affected consumers and the attorney general within 15 days.
Banks, by and large, appreciate states’ efforts to strengthen data-breach laws, but with so many banks operating in multiple states, they would prefer for Congress to pass a federal law that would override the patchwork of state laws.
“Trying to map out conflicting state laws can be an issue and it’s particularly significant in data security laws because of the reputation risk,” said Nathan Batts, senior vice president and counsel for the North Carolina Bankers Association.
Democratic Sens. Elizabeth Warren and Mark Warner announced this week that they plan to introduce federal legislation that would impose heavy financial penalties on credit bureaus that fail to protect consumers’ personal information from data breaches.
That proposal would set mandatory fines of $100 for every person who has had a piece of personally identifiable information compromised in a breach, with another $50 levied for each additional piece of personal information compromised.
That proposal, though, is fairly narrow in that it only addresses breaches at credit bureaus. The ABA recently joined with 21 other trade organizations in calling for bipartisan legislation to address how companies prevent and handle data breaches. The groups proposed a “flexible, scalable” standard for data protection that would account for a particular organization’s size and complexity and a timely notification regime, and they said that a federal law should pre-empt existing state laws which are sometimes conflicting and contradictory.
"We think uniformity is very important because then at least everybody knows the rules of the game,” said Michael Affuso, director of government relations for the New Jersey Bankers Association.
Still, for New Jersey bankers, data security is likely to take a backseat to other issues this legislative session, including the legalization of marijuana for recreational use and the possible creation of a state-owned public bank, Affuso said.
While no bills have been introduced, newly elected Gov. Phil Murphy, a Democrat, supports public banking and marijuana legalization, and if either were to become law there would be huge implications for banks, Affuso said. Marijuana is already legal for medicinal use in New Jersey.
In New Jersey and other states where pot is legal, bankers will be closely monitoring legislatures’ response to a recent directive from U.S. Attorney General Jeff Sessions.
Lawmakers and pot advocates were caught off guard last week when Sessions rescinded guidance from the Obama administration that instructed federal prosecutors to de-prioritize cases against pot growers and distributors that were operating within the confines of their states’ laws.
Even with that guidance, banks were wary of doing business with marijuana-related businesses and industry officials said that Sessions’ announcement will only further discourage them.
“I do think this is going to have a chilling effect,” Don Childears, the president of the Colorado Bankers Association, told American Banker last week.
In at least four states, bankers will also be keeping close tabs on bills that look to add more consumer protections to the Property Assessed Clean Energy (PACE) loan program, while 16 states are mulling legislation aimed at curbing elder financial abuse.
PACE loans are not made by banks, but by private companies, contractors or not-for-profit organizations. These loans are used to finance an energy efficient upgrade to a home or commercial property, like solar panels or low-flow toilets, and are paid back as a line item on the owner’s property tax bill.
Bankers have two main issues with PACE lending programs. One concern is with the first-lien status that PACE lenders sometimes take when they make the loan. Because PACE loans are paid back through property tax rolls, they are often recorded as having a senior lienholder position.
Bankers say that can be a problem if the homeowner wants to sell or refinance their home, or if the bank needs to foreclose, because it means the PACE loan would have to be paid back before any mortgage debt. Bankers say they would prefer any PACE legislation to clarify that those loans take a subordinate position to any bank debt on the property.
A second concern is that PACE loans are generally not subject to the same kinds of consumer protection rules as loans made by banks.
In a December letter to the Council of State Governments, the ABA urged the organization to withdraw a resolution that would encourage states to emulate the California legislation adopted last year. California’s law puts some consumer protections around PACE loans, including an ability-to-repay requirement, and also requires that PACE lenders be regulated by the state’s department of business oversight.
Yet, the ABA, along with the Mortgage Bankers Association and the Credit Union National Association, said that the California law doesn’t go far enough. They would prefer to see federal legislation that applies Truth in Lending Act standards to PACE lenders and establishes that PACE loans not take lienholder status over lenders who hold the mortgage on a property.
Bankers in Ohio, Pennsylvania and other states are also supporting provisions in those states that would help financial institutions to do their part in preventing financial abuse of elderly customers.
The Ohio legislation would require accountants, real estate brokers, and employees of banks and credit unions to report suspected elder financial abuse to adult protective authorities. It would also require various state agencies to work together on developing a framework for combating elder financial abuse.
Though the Ohio legislation had its fifth hearing before the state senate’s judiciary committee before the winter break, Ohio Bankers League spokesman James Thurston said the organization is hopeful that the bill will come up for a vote this year.
Legislation pending in Pennsylvania would require that state’s Department of Aging to develop a model training program for financial institutions to use when they suspect an elderly customer is being financially exploited.
Dan Reisteter, vice president of government relations with the Pennsylvania Bankers Association, said that most of the organization’s member banks already provide similar training for their employees, following guidance issued by the Financial Crimes Enforcement Network on suspicious activity reports. Nevertheless, the association supports the proposal because it addresses some other concerns bankers have around that subject.
QuoteLegislation proposed by Missouri's governor would allow children in foster care to open bank accounts without an adult’s signature.
“What we’ve heard is, you make a report and then you don’t hear anything. And then the financial institution is continuing to observe behaviors that would suggest continued financial exploitation,” he said.
In particular, the bill would also provide for better coordination and information sharing among local aging agencies, law enforcement, and mandated reporters, like bank branch employees. The proposal would also give financial institutions the authority to stop transactions they suspect to be the result of abuse or coercion.
Meanwhile, Missouri bankers are supporting a different kind of proposal aimed at helping financial institutions navigate tricky situations banking some of the state’s most vulnerable people. There, Gov. Eric Greitens, a Republican, has proposed changes to state law that would allow children in foster care to open bank accounts without an adult’s signature.
Banks in Missouri typically require a parent or guardian to also be listed as an account holder along with any customer under the age of 18. However, children in foster care may not have a parent or guardian who is able to co-sign on an account for them, or their parent may not be trustworthy.
The proposal would mirror a state law that allows minors in foster care who are 16 or older to obtain auto insurance without a parent or guardian named as an account holder. The Missouri Bankers Association supports the bill, saying it would help provide its members with clarity about how to bank this population.