Why it matters

The financial industry has thrown its support behind data breach notification legislation as well as passage of a law that would encourage businesses to share cyberthreat information. Data security issues have been a hot topic in Washington, D.C., following President Barack Obama’s introduction of multiple bills and discussion of cybersecurity during his 2015 State of the Union address. Banks and financial service companies – including the American Bankers Association (ABA) and the Credit Union National Association (CUNA) – joined the conversation, sending a letter to federal lawmakers urging the passage of a data breach bill, emphasizing the need for federal preemption of the current patchwork of 47 state laws. The groups also endorsed the idea that other entities – like retailers – be held to the same level of data security standards as financial institutions. A second letter followed from the U.S. Chamber of Commerce, joined by the ABA and 33 other organizations from a host of industries, asking that legislators enact a cybersecurity information-sharing bill, which would create a safe harbor for companies that follow the standards set by the law. Although data security and privacy issues are top of mind in the nation’s capital these days, the successful passage of either law remains unclear.

Detailed discussion

On January 12, the President addressed the Federal Trade Commission (FTC) and presented three proposed pieces of legislation relating to data security and privacy: the Student Digital Privacy Act (which would prohibit the sale of sensitive student data for noneducation purposes), the Consumer Privacy Bill of Rights (which would set out “basic baseline protections across industries,” the President said), and the Personal Data Notification & Protection Act.

The data breach bill would beef up criminal penalties for hackers generally, require that companies notify consumers of a breach within 30 days, and importantly, establish nationwide, uniform consumer data breach notification rules that would preempt the various state laws currently in effect.

Although not referencing the President’s Personal Data Notification & Protection Act proposal by name, seven industry groups – the ABA, CUNA, the Consumer Bankers Association, the Financial Services Roundtable, the Independent Community Bankers of America, the National Association of Federal Credit Unions, and The Clearing House – sent a letter to federal lawmakers urging passage of a national data breach law.

“We share your concerns about protecting consumers and strongly believe that the following set of principles should serve as a guide,” the groups wrote. Strong national standards “with effective enforcement provisions” must be applicable to “any party with access to important consumer financial information,” according to the letter, along with recognition of the preexisting requirements already placed on banks and credit unions, such as the Gramm-Leach-Bliley Act (GLBA).

Inconsistent state laws and regulations should be preempted by the federal legislation, according to the letter, and the public should be informed of a breach “where it occurred as soon as reasonably possible to allow consumers to protect themselves from fraud.”

“Too often, banks and credit unions bear a disproportionate burden in covering the costs of breaches occurring beyond the premises,” the groups explained. “All parties must share in protecting consumers. Therefore, the costs of a data breach should ultimately be borne by the entity that incurs the breach.”

Those in the financial industry are already required by law to develop and maintain data security protections, protect consumer financial information, and provide notice to consumers when a breach occurs that leaves them at risk. “The same cannot be said for other industries, like retailers, that routinely handle this same information and increasingly store it for their own purposes,” according to the letter.

After visiting the FTC, President Obama continued his focus on data security and privacy with a visit to the National Cybersecurity Communications Integration Center (NCCIC) at the Department of Homeland Security, where he spoke about a legislative proposal intended to encourage business to share cyberthreat information with the NCCIC.

Pursuant to the bill, companies that share such information and take “measures to protect any personal information that must be shared” would be granted “targeted liability protection,” the President promised.

Again, the ABA, this time joined by the U.S. Chamber of Commerce and dozens of other organizations covering a wide variety of industries (ranging from the Agricultural Retailers Association to the National Association of Chemical Distributors), requested that lawmakers “quickly pass a cybersecurity information-sharing bill.”

“Recent cyber incidents underscore the need for legislation to help businesses improve their awareness of cyber threats and to enhance their protection and response capabilities,” the 35 groups wrote. “Above all, we need Congress to send a bill to the President that gives businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real time and taking actions to mitigate cyberattacks.”

Any legislation must also “offer protections related to public disclosure, regulatory, and antitrust matters in order to increase the timely exchange of information among public and private entities,” the letter added.

“Congressional action cannot come soon enough,” the groups concluded.

To read the Personal Data Notification & Protection Act, click here.

To read the letter from the ABA, CBA, CUNA, FSR, ICBA, NAFCU, and The Clearing House, click here.

To read the proposal for sharing cyberthreats, click here.

To read the letter from the ABA, the U.S. Chamber of Commerce, and other organizations, click here.