On December 9, 2015, the House Financial Services Committee favorably reported H.R. 2205, the Data Security Act of 2015, sponsored by Reps. Randy Neugebauer (R-TX) and John Carney (D-DE). The bill, which would direct individuals, corporations or nongovernmental entities that interact with sensitive consumer financial or other nonpublic data to develop information security plans to protect consumers’ personal information, was reported by a vote of 46-9.
In addition to requiring covered entities to secure personal information, H.R. 2205 would require notification to consumers, federal law enforcement, appropriate administrative agencies, payment card networks and consumer reporting agencies of data breaches of unencrypted sensitive information (though notification may be delayed upon request by law enforcement). It also directs covered entities to require their third-party service providers by contract to implement appropriate safeguards for sensitive information.
Under the bill, the security and breach notification provisions would be enforced by the Federal Trade Commission (FTC), the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration Board, the Securities and Exchange Commission, the Commodity Futures Trading Commission, the Office of Federal Housing Enterprise Oversight or a state insurance authority, depending on the type of entity handling the sensitive information. The bill sets forth alternative compliance procedures for financial institutions and affiliates under the Gramm-Leach-Bliley Act, and entities complying with certain health record privacy laws. H.R. 2205 also preempts state laws from being imposed for information security and breach notification purposes.
Only one amendment in the nature of a substitute (ANS) was adopted during the committee’s markup. The ANS deleted language that defined “substantial harm or inconvenience” as identity theft or fraudulent transactions on financial accounts (the bill as amended would require notification only when a breach is “reasonably likely” to cause harm to consumers). The ANS also added language that provides for enforcement by state attorneys general through civil action, as well as allowing attorneys general to intervene in criminal cases brought by the FTC.
The bill has also been assigned to the House Energy and Commerce Committee, and must be marked up in that committee as well before it has any chance of being brought to the full House for consideration. At this time, it is unclear when the Energy and Commerce Committee may act on the bill. In the Senate, the companion measure (S. 961), sponsored by Sen. Carper (D-DE), has been assigned to the Commerce Committee, but has not seen any significant action since its introduction in April 2015.