Legislation that would protect consumers from identity theft and fraud and establish a national data security and breach notification standard for financial institutions and retailers to better protect consumer financial data, was introduced Friday by Rep. Randy Neugebauer (R-Texas), chairman of the House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit, and Rep. John Carney (D-Del.), a member of the Financial Services Committee.
“Today, I am pleased to partner with Rep. John Carney in introducing much-needed bipartisan data security and notification legislation,” Neugebauer said in a statement Friday. “This legislation was crafted with three guiding principles. First, any national standard must be technology neutral and process specific. This helps ensure the private sector can continue to innovate. Second, we need everyone at the table—all participants in the payment system must equally share in the efforts to protect consumer financial data.”
Neugebauer said that, “As we have learned from too many previous breaches, the system is only as strong as the weakest link. Finally, the standards we establish are scalable and well-tailored to avoid unnecessary burdens on small businesses. It is imperative that any standard take into consideration the size, scope, and type of financial information businesses hold.”
“Consumers need to know that when they use their credit card to make a purchase, their personal information is secure,” added Rep. Carney. “Our approach makes the rules of the road clear for everyone involved. All the relevant parties – the banks as well as the retailers – will have skin in the game when it comes to preventing and cleaning up after data breaches. We can’t afford to wait for another massive data breach to occur. Congress needs to take up our bill as soon as possible to make sure consumers are protected in the event of another breach.”
In a “Fact Sheet” the two lawmakers released when announcing their Data Security Act of 2015, they stated that the problem is that while “the government requires financial institutions to have information security programs, there are others within the chain of commerce that store or handle the same account information and non-public sensitive information. These actors have no equivalent requirements to protect such data.”
Thus, they said, “Without a set of standard requirements to follow, repeated breaches at non-financial institutions have resulted in significant costs for consumers and society. Congress’ failure to act has led to a byzantine patchwork of state laws for both data security and breach notification. This is confusing for consumers and a compliance nightmare for companies.”
The solution, they stated is the Data Security Act, which “establishes a single, consistent minimum standard for both data security and breach notification. A single standard for security and breach notification provides better protection for consumers and provides greater clarity for businesses."
The Data Security Act "provides flexible and scalable standards. This permits each business to have a data security program that is technology neutral and process specific. Small businesses may tailor their data security requirements to fit withthe size, nature, and scope of their business in order to avoid any unnecessary burdens and costs.”
Neugebauer said, “We live in a world with a global marketplace supported by a global payments system. This payment system is a vast ecosystem with many participants delivering payment services to consumers in the blink of an eye. Immense amounts of sensitive consumer financial information are transferred, processed and stored in any one transaction. This technological innovation has fueled the engines of economic growth and expanded opportunity, while introducing new threats that we must now address. Recently, we have seen an increased prevalence of major cyber breaches resulting in consequences for millions of individuals in families.”
The Financial Services Roundtable (FSR) quickly applauded introduction of the bipartisan bill, saying it “will help prevent data breaches by enacting strong new protections for sensitive financial information and establish uniform guidelines to ensure customers receive timely notification when a breach happens.”
“Ensuring that every industry is required to follow clear rules to safeguard data is the best way to help protect consumers,” said FSR President and CEO Tim Pawlenty. “This measure, with its strong, but flexible, data security standards and common-sense consumer notification requirements, can help stop the parade of retailer data breaches.”
“In addition to establishing a robust but scalable and non-prescriptive data security standards that firms of any size can follow,” FSR said, the legislation also “lays out clear steps businesses must take in the event of a breach that compromises financial information and puts consumers at risk. The steps guarantee that consumers are alerted to the incident and know what steps they can take to protect themselves. This is done by creating a uniform set of national data security and breach notification requirements, while also recognizing that some industries, like financial services and healthcare, already comply with rigorous data security regulations.”
Last week in the Senate, Sen. Carper, Thomas R. (D-Del.), former chairman of the Senate Committee on Homeland Security and Governmental Affairs introduced a companion bill, the Data Security Act of 2015 (S 961).
Referred to the Senate Committee on Commerce, Science and Transportation, Carper’s legislation would establish strong and uniform national data security and breach notification standards for electronic data, and expressly preempt any related state laws in order to provide the Federal Trade Commission with authority to enforce such standards for entities covered under the legislation.
Also last week, the House passed the bipartisan National Cybersecurity Protection Advancement Act (NCPA), wich would help American businesses better protect their digital networks from cyber attacks, help stop cyber criminals and better protect American companies from cyber espionage by nation states like China, Russia and Iran.
It remains to be seen what the Senate does on similar, companion legislation pending there.
“The House of Representatives sent a clear signal that Congress can and should pass a cyber threat information sharing bill into law," Carper said following the House’s approval of its cybersecurity legislation.
"Now, all eyes are on the Senate,” Carper acknowledged, saying, “I hope my Senate colleagues and I can continue this important progress to strengthen our nation’s cyber defenses in a timely and transparent manner. It’s important that any bill that Congress passes empowers companies with clear legal authority and liability protectionto share critical data while upholding the civil liberties we all cherish."
Meanwhile, the Protecting America’s Cyber Networks Coalition sent a letter to members of the Senate urging them take up and pass the Cybersecurity Information Sharing Act (CISA) of 2015 (S 754), pointing out that, “In March, the Senate Select Committee on Intelligence passed CISA by a strong bipartisan vote (14–1). The coalition stated, “The Senate can build on the momentum generated in the House to move CISA forward.”
“Last week,” the Coalition pointed out, “the House passed two cybersecurity information-sharing bills—the Protecting Cyber Networks Act (HR 1560) and the National Cybersecurity Protection Advancement Act of 2015 (HR 1731)—with robust majorities from both parties and broad industry support.”