WASHINGTON Despite years of debate, lawmakers are still grappling with key questions over how to set enhanced data security and notification standards to prevent cyberattacks, including whether they should preempt state laws.
The House Financial Services Committee took up the issue Thursday at a hearing, where lawmakers debated ongoing threats to the system with cyber experts and representatives from the financial and retail industries. The discussion included a number of questions from lawmakers about the extent to which a national standard should supplant state rules, how new cyber standards should be enforced and whether a banking law should apply to other industries.
The issue of balancing a federal standard with existing state rules remains a top concern, particularly for Democrats worried about weakening strong state rules with a lower federal standard. Lawmakers debated whether legislation should include a floor a baseline standard for states to follow or a ceiling that would cap rules that various states might have in place.
Critics of the floor approach warned that it would negate the need for a federal standard because rules would continue to vary across states.
"If you let the federal standard be a floor then we're right back where we are now and it defeats the purposes of having a federal standard," said Rep. Randy Neugebauer, R-Texas, the chairman of the panel's financial institutions and consumer credit subcommittee.
Neugebauer, along with Rep. John Carney, D-Del., introduced legislation this month that would expand data standards under the Gramm-Leach-Bliley Act across numerous industries and establish a national standard for notifying consumers about breaches. The bipartisan proposal is similar to a measure by Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo., and would largely preempt state rules.
At the same time, some Democrats said they also worried that preemption requirements would limit the ability of state attorney generals from looking into consumer protection violations, leaving enforcement up to federal authorities.
"Rather than thinking about this as states with such different laws that will somehow cause great complications, let's think about this in terms of the fact that we want our state attorney generals to be involved," said Rep. Maxine Waters, D-Calif., the ranking member on the panel, who called preemption issues "the biggest obstacle" in this fight.
Rep. Carolyn Maloney, D-N.Y., said she was co-sponsoring the Neugebauer-Carney bill, though she wants to continue working on the language and hopes to address ongoing concerns about state preemption.
"I am still concerned about the scope of the state preemption in the bill and I want to keep working on the preemption and enforcement provisions," she said, while calling the measure a "serious and good-faith effort."
Laura Moy, senior policy counsel at the Open Technology Institute, advocated for greater state preemption, including provisions allowing state attorney generals to pursue cases.
"Federal agencies are well equipped to address large data security and breach notification cases, but could be overwhelmed if they lose the complementary consumer protection support of state attorneys general in thousands of small cases each year," she said in written testimony. "To ensure that consumers receive the best protection they possibly caneven when they are among a small handful of individuals affected by a small breachstate attorneys general must be given the ability to help enforce any new federal standard."
Lawmakers also faced pushback from retailers over the use of the Gramm-Leach-Bliley Act as a model for setting data security standards across the board. Brian Dodge, an executive vice president at the Retail Industry Leaders Association, argued that efforts to "shoehorn" other industries under the banking law could be problematic.
"It's the perspective of the retailers that the Gramm-Leach-Bliley Act [was] expressly written for the financial services community. The industries are very different. Anybody who's ever filled out a mortgage understands the information the bank holds is very different from that of a retailer," he said.
Still, supporters of the approach, including those in the banking industry, noted that unless security standards are strong for everyone, the whole system remains vulnerable.
"We can be really good, but if our partner in payments has a flawed, outdated, weak system at a point-of-sale or a back room the whole chain of events" can be disrupted, said Tim Pawlenty, president and chief executive of the Financial Services Roundtable.