On February 14, 2018, the U.S. House of Representatives Subcommittee on Financial Institutions and Consumer Credit of the Committee on Financial Services held a hearing entitled “Examining the Current Data Security and Breach Notification Regulatory Regime.”  The goal of the hearing was to determine whether there were any areas in the current federal and state data security regulatory regimes relating to the financial industry that could be reformed, specifically to close gaps in regulations and reduce vulnerabilities overall in the system. The Subcommittee pointed out that data breaches were becoming more common in all industries.

The Subcommittee heard from five witnesses:  Aaron Cooper, Vice President, Global Policy at BSA–The Software Alliance; Kim Sponem, CEO & President of Summit Credit Union (on behalf of the Credit Union National Association); Nathan Taylor, Partner at law firm Morrison & Foerster LLP; Marc Rotenberg, President of the Electronic Privacy Information Center (“EPIC”) and Adjunct Professor at Georgetown University Law Center; and Paul Rosenzweig, Senior Fellow at R Street Institute and former Deputy Assistant Secretary for Policy at the Department of Homeland Security.

All of the witnesses highlighted the growing threat of cyberattacks and the multitude of data breaches that have occurred in recent years. The witnesses noted that the sophistication of attackers and threats has been growing at the same time that the number of targets and the amount of personal information stored has ballooned. All of the witnesses agreed that the current regulatory and legislative regime was insufficient and ineffective in protecting consumers.

Most of the witnesses (with the exception of Rosenzweig) advocated new legislation to establish a federal data security standard. Cooper, representing the software industry, for example, noted that legislation was needed to help reestablish and increase consumers’ trust in cyber infrastructure. Sponem, speaking on behalf of the credit union industry, noted that her industry and others were already subject to various federal cybersecurity requirements, such as those established under the Gramm-Leach-Bliley Act. Other industries, including vendors and merchants upon which banks and credit unions rely, are not, and so uniform legislation would put everyone on an equal playing field and would also provide greater protection to industries that are already subject to federal standards.

Many of the witnesses also noted that any such legislation should supersede and preempt state legislation and regulations and should establish a uniform federal standard. Such a standard would reduce the complexities of nationwide cybersecurity compliance. Rotenberg, on behalf of the consumer advocacy group EPIC, instead advocated that federal legislation act as a floor and allow states to establish more stringent standards.

Interestingly, all those in support of federal legislation also urged the Subcommittee to establish strong and meaningful notification standards. The witnesses agreed that such standards would reestablish trust among consumers and help mitigate the impact of any breaches.

To date, there have been a number of cybersecurity bills introduced in the House and Senate, but none have moved forward. We will report on any significant legislative activity.

Video and testimony from the hearing is available here.