On December 8, 2015, the House Financial Services Committee (Committee) convened a full committee markup of H.R. 2205, the Data Security Act of 2015. Committee members weighed in on proposed amendments and certain elements of the legislation, including preemption of existing state data security laws, federal and state regulatory enforcement, and the scalability of data security measures to a business’ operations and controls. In a 46-9 vote the following day, the Committee moved to report an amended version of the legislation out of Committee and to the House of Representatives. Two amendments were offered during the markup. The Committee voted to adopt a substitute amendment proposed by the bill’s author, Representative Randy Neugebauer (R-TX). The other amendment, aimed at striking the preemption standard in the bill, was offered by Committee Ranking Member Maxine Waters (D-CA). Ranking Member Waters’ amendment failed by a 26-20 vote.

The amended version of H.R. 2205 makes the following changes to the original text:

  • addresses enforcement authority by state attorneys general where the Federal Trade Commission has not already initiated federal civil action,
  • adds “within the most expedient time possible” to the timing of notification,1
  • adds “State law enforcement agency” as a recipient of notification when appropriate,2
  • removes the terms “substantial” and “inconvenience” from the definition of “harm” to consumers resulting from a breach that triggers notification,3
  • removes “identity theft” and “financial fraud” from the list of types of harms covered,4 and
  • adds medical and health insurance information to the definition of sensitive information.

There was some disagreement among the Committee members on the scalability of data security measures in the bill and preemption. Rep. Mick Mulvaney (R-SC) suggested that the bill take into account the volume of consumer records held by a company. Rep. Waters noted her concerns regarding preemption, specifically mentioning that the bill would not provide state attorneys general with sufficient enforcement authority and would not address a private cause of action for individuals harmed by a breach. Rep. John Carney (D-DE), a sponsor of the bill, stated that there are other changes in the bill that he intends to propose in the future, based on his discussions with Rep. Waters. Reps. Neugebauer and Carney announced that they will continue discussions with stakeholders and lawmakers to address certain aspects of the bill, including the addition of a private cause of action, the role of state insurance regulators, and the collection of consumer information by regulatory agencies.

GLBA Privacy Notice Measure Enacted into Law

On December 4, 2015, the Eliminate Privacy Notice Confusion Act was enacted into law as part of a surface transportation reauthorization bill signed by the President that day.5 The Eliminate Privacy Notice Confusion Act amends the Gramm-Leach-Bliley Act (GLBA) to provide certain exemptions to the requirement that financial institutions provide consumers with an annual privacy notice. The measure, introduced in January this year by Representative Blaine Luetkemeyer (R-MO), was widely supported by the financial services industry on the basis that it would reduce compliance costs associated with providing annual privacy notices.

Under the new law, a financial institution that does not share consumers’ nonpublic personal information with unaffiliated third parties is not required to provide consumers with an annual privacy notice if the financial institution has not changed its information disclosure practices since its previous notice to that consumer. These financial institutions are permitted to share consumers’ nonpublic personal information pursuant to certain exceptions under the GLBA, including those associated with disclosure to service providers or law enforcement, or as necessary to fulfill a transaction required by a customer. If a financial institution changes its privacy practices or discloses consumer information in ways inconsistent with these exceptions, the financial institution is no longer exempt from providing consumers with an annual privacy notice.

The Eliminate Privacy Notice Confusion Act continues the process of streamlining the delivering of privacy notices to consumers, which was initiated by the Consumer Financial Protection Bureau (CFPB) in 2014, when it issued a final rule permitting financial institutions subject to its oversight to post privacy notices online instead of issuing individual notices under certain circumstances. The law provides relief for financial institutions not subject to CFPB oversight.