Industry Weighs In on Data Security, Cybersecurity Legislation
Why it matters
Members of the financial industry were able to share their positions and voice concerns at a recent hearing held by the House Committee on Financial Services. Discussing “Protecting Consumers: Financial Data Security in the Age of Computer Hackers,” representatives from the Financial Services Roundtable, the Electronic Transaction Association, and the PCI Security Standards Council (as well as a voice from the retail industry and tech sector) talked about the elements of the multiple data security and privacy bills currently pending before Congress. While the speakers agreed that federal legislation would prove beneficial to counter the current patchwork of state laws, disagreement arose about the scope of federal preemption. Testimony also covered possibilities to mitigate the risk of data breaches, ranging from the use of tokenization to industry-specific cyber threat information sharing. The hearing provided industry with the chance to present their perspectives; what lawmakers do with the information remains to be seen.
Continuing the legislative focus on data security and privacy, the House Committee on Financial Services held a hearing on “Protecting Consumers: Financial Data Security in the Age of Computer Hackers.”
With two bills having passed in the House already this term, lawmakers offered industry a platform to voice concerns and provide insight and analysis on its increasingly scrutinized industry. Former Governor Tim Pawlenty (now head of the Financial Services Roundtable) joined Laura Moy of the Open Technology Institute, Retail Industry Leaders Association (RILA) representative Brian Dodge, Jason Oxman of the Electronic Transaction Association (ETA), and PCI Security Standards Council rep Stephen Orfei in testifying at the hearing.
For the most part, Pawlenty and Moy were in agreement that federal legislation is necessary to help regulate the protection of consumer data; Moy also took the position that state laws with higher standards should not be preempted by a federal bill, with states allowed to adopt higher standards (similar to the healthcare industry and the Health Insurance Portability and Accountability Act).
While the ETA acknowledged that federal “legislation that creates uniform, national data breach and data protection standards that are industry neutral” was necessary, Oxman countered that any bill should completely preempt state law. RILA representative Dodge agreed. “RILA supports federal data breach notification legislation that is practical, proportional, and sets a single national standard that replaces the often incongruous and confusing patchwork of state laws in place today [to] reduce the state-level burden on interstate commerce,” he told the legislators.
ETA used forensic data to support the position that some simple technology solutions could resolve many data breach incidents, such as point-to-point encryption (including EMV chips, verification, and tokenization) as well as public-private information sharing to help secure consumer data. Oxman’s suggestions contradict recent statements by law enforcement agencies that have argued against corporate end-to-end encryption. Instead, he pointed to a variety of factors for many information compromises such as weak third-party security, lack of segmentation, and misconfiguration, or poor password protection.
The Federal Trade Commission (FTC)—the agency tasked with oversight and enforcement of many privacy and data security standards and statutes in the United States—was highlighted by RILA as the preferred authority on mandating data breach response and penalty enforcement over Congress or state statutes. Dodge cited the FTC’s consent decrees as meaningful proxies for law enforcement on data security.
RILA also reinforced the self-regulatory initiatives in the data security ecosystem such as the formation of the Retail Cyber Intelligence Sharing Center (R-CISC) and identified the Financial Services Information Sharing and Analysis Center (FS-ISAC) to provide a cyber threat sharing platform. “Key to this effort is the ability to design systems to meet actual threats rather than potentially outdated cybersecurity standards that may be enshrined in law,” Dodge testified, adding that “development of any technical cybersecurity standards beyond a mandate for reasonable security must be voluntary and industry-led.”
Orfei of the PCI Security Standards Council echoed the support of industry-regulated standards that are responsive to the community (its membership of payment card companies and consumers alike), but disclaimed “there is no silver bullet to securing payment card data.” Public-private information sharing was another cornerstone of Orfei’s position.
Pawlenty suggested that improved technology solutions such as global adoption of EMV and tokenization could certainly mitigate breach risk. He also took a strong position on data security. “Congress should pass legislation creating a strong, meaningful data security requirement for all companies that handle sensitive customer information but currently have no federal requirement to protect it,” Pawlenty advocated. With respect to the enactment of a data security law, any legislation should “create a framework of complementary federal requirements and self-regulatory standards, such as those put forth by the PCI Security Standards Council,” he added.
To read the prepared testimony and watch a podcast of the hearing, click here.