The House Subcommittee on Financial Institutions and Consumer Credit held a hearing this week to discuss two bills that reform data security and breach notification rules as well as reform reporting standards for reporting agencies.
The two bills that were the focus of the hearing are the Data Acquisition and Technology Accountability and Security Act and the Promoting Responsible Oversight of Transaction and Examinations of Credit Technology (PROTECT) Act of 2017 – both of which are sponsored by Rep. Blaine Luetkemeyer (R-MO).
The Data Acquisition and Technology Accountability and Security Act, co-sponsored by Rep. Carolyn Maloney (D-NY), sets a standard for retailers and other commercial sectors to protect consumers’ sensitive information. It also requires timely notification in the event of a breach. These are the same standards that the Federal Reserve, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency and National Credit Union Administration currently adhere to.
“Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted differing laws requiring private companies to notify individuals of breaches of personal information. For each state with robust safeguards and requirements in place, there is another with protections that are simply insufficient – creating a regulatory labyrinth that causes compliance nightmares while leaving uncertainty where certainty is needed the most – consumer notification,” Luetkemeyer said. “This isn’t a question of if but of when. The legislation we consider today aims to foster an environment where consumers are not just protected but empowered.”
John Miller, vice president of global policy and law at the Information Technology Industry Council, said organizations must keep up with increasingly sophisticated and well-resourced hackers.
“Unfortunately, the percentages do not favor the defenders, who must be successful every time to avoid a breach,” Miller said. “Instead, the odds favor the attackers, who only need to be successful once to execute a successful breach. And when a breach of sensitive personally identifiable information (PII) occurs, we believe there should be a streamlined and uniform process to notify consumers in cases where there is a significant risk of identity theft, financial harm, or material economic loss.”
Jason Kratovil, vice president at the Financial Services Roundtable, added that every American business that handles sensitive financial information should be motivated to protect customer information, “if for no other reason than maintaining the trust and continued business of their customers.” –
The Consumer Bankers Association (CBA) voiced its support for the Data Acquisition and Technology Accountability and Security Act.
“Bankers place a premium on protecting their customers’ financial and personal data. When high-profile commercial breaches happen, banks are on the front lines monitoring for fraud and working to make consumers whole – regardless of who is at fault,” Richard Hunt, president and CEO of CBA, said. “This bipartisan bill will create a national data security and breach notification standard to better protect consumers at every step in the payment system.”
Recent data from the Identity Theft Resource Center found businesses were the leading source of data breaches, not financial institutions.