On Wednesday, March 7, the House Financial Services Committee (“HFSC”) considered two legislative proposals to streamline data breach notification laws. HFSC’s Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime.” The hearing was intended to examine two bills, the Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017 and the Data Acquisition and Technology Accountability and Security Act.
The Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017 was introduced by Representative Patrick McHenry (R-North Carolina). This bill would amend the Federal Financial Institutions Examination Council Act of 1978 to mandate oversight of large consumer reporting agencies’ cybersecurity measures and policies. Additionally, the bill would amend the Fair Credit Reporting Act (“FCRA”) to include a provision allowing consumers to request a security freeze on credit reports, specifically allowing exceptions for some fees. It would also ban the use of consumers’ Social Security numbers as an identification method after the year 2020. A version of the freezes provided for in the bill was included in the Economic Growth, Regulatory Relief, and Consumer Protection Act, which is currently under consideration in the Senate and is expected to pass later this week.
Although not yet formally introduced, sponsors have released draft text of the Data Acquisition and Technology Accountability and Security Act for public consideration. The legislation was authored by Representative Blaine Luetkemeyer (R-Missouri), Chairman of the Subcommittee on Financial Institutions and Consumer Credit, and by Representative Carolyn Maloney (D-New York), Ranking Minority Member of the Subcommittee on Capital Markets, Securities, and Investment. The legislation will establish a national security standard and breach notification system overseen by the Federal Trade Commission, and includes a protocol for notifying law enforcement of data breaches.
The Committee heard from four witnesses during the hearing: Sara Cable, Director of Data Privacy and Security and Assistant Attorney General at the Office of the Attorney General, Commonwealth of Massachusetts; Francis Creighton, President and Chief Executive Officer of the Consumer Data Industry Association; John S. Miller, Vice President of Global Policy and Law at the Information Technology Industry Council; and Jason Kratovil, Vice President of the Financial Services Roundtable.
Of particular interest to members of the Subcommittee during the hearing was how individual states’ security and notification laws can be reconciled with a proposed federal policy. During the hearing, the witnesses expressed support for a national policy, reiterating the need for a national standard in to ensure that companies can be successful in notifying consumers, by following a singular, streamlined protocol. According to one witness, less than half of the states reference data security in their laws, making it difficult to ensure consistency in how consumers are informed of their rights.
Neither of the bills are currently scheduled for legislative markup.