Once again, the key Committees in both the U.S. House and Senate are working on legislation that would set national standards on personal data protection and responses to breaches. While for over a decade Congress has considered such legislation, the odds for success seem greater this year. Data breaches at various companies and institutions around the United States are increasing and getting more severe, and last summer’s massive breach of the personal data of 145 million customers at Equifax, and Equifax’s handling of the notification of the breach, was seen as a clarion call by many. In addition, the lack of uniform standards among the states is increasingly confusing to both companies and consumers, and a compliance nightmare for companies.
Currently, 48 states and the District of Columbia each have their own laws on breach notification that dictate how and when companies must notify people that personal data has been breached. 15 states have data protection laws that require all companies (most notably retailers) to adopt tough standards for data protection, like those used by banks. The other 35 states have lesser or no standards for data protection.
The key Committees in Congress currently working on legislation are the House Financial Services Committee Financial Institutions and Consumer Credit Subcommittee, the House Energy and Commerce Committee, and the Senate Commerce Science and Transportation Committee. All the Committees have been holding hearings and getting input from key stakeholders and the usual issues are emerging.
The overarching issues are how tough should the federal standards be and what would be the fate of existing state standards.
Businesses and companies prefer a bill that will set a single, uniform, national/federal standard for notification and protection that will pre-empt the various state laws. However, states such as California, New York and Massachusetts, who have particularly tough standards, and data privacy and consumer advocates, only want a federal/national standard that serves as a “floor” which would allow states to continue to have or enact tougher measures. However, the idea of a “national” standard that is not uniformly applied across the nation kind of defeats the main purpose of a national standard.
On the protection issue, retailers do not want to be held to the same standards as banks.
Other key issues are: how quickly companies must notify customers about breaches; the responsibility of third parties to notify a “covered entity” of a breach (such as a retailer or bank); who is responsible to notify customers; to what degree banks are financially responsible for customer losses caused by breaches at their retail clients; whether breached companies should have to provide for free credit freezes; the relation to the Federal Trade Commission’s data security authorities; not giving companies an incentive to “not know or detect” vulnerabilities or breaches to escape responsibility; and there are others.
Perhaps the key player in Congress right now is Representative Blaine Luetkemeyer, R-Mo., the Chairman of the Consumer Credit Subcommittee, who recently circulated a draft bill that he plans to consider at hearings before his subcommittee the week or 4 March, or the following week. What does seem key this year is for major industries to get and stay aligned on legislation so to avoid the various Committees taking differing approaches on key issues—a situation that has stymied past legislative efforts.
The bottom line is that, while there is serious interest in federal legislation, lessons have been learned from past legislative efforts, and the Equifax breach supplied some great impetus/attention to legislation. In years past, no bills on this subject have even made it through the House or Senate, and while there is a chance a bill could get through the House this year, subsequent passage in the Senate could be very difficult.
Stay tuned to the ASIS Government Relations page for future updates on this and other federal legislative issues.