Are we about to see some bipartisan legislation to improve privacy and data security? The Senate Banking Committee has asked for feedback on data collection standards for financial institutions, with Mike Crapo (R-Idaho), chair of the Senate Committee on Banking, Housing and Urban Affairs, and Ranking Member Sherrod Brown (D-Ohio) seeking input on ways to enhance protection and give consumers more control of personally identifiable information collected by financial firms as the first step toward proposing bipartisan data security and privacy legislation.

In related news, a group of 31 state regulators answered the Federal Trade Commission’s (FTC) request for public comment on the Identity Theft Rules, urging the agency to keep the Rules in place, but with some modifications.

What happened

With an eye toward the possible introduction of a federal privacy bill, Senators Crapo and Brown invited public feedback on data privacy, protection and collection from the financial services industry and other impacted constituencies.

“The collection, use and protection of personally identifiable information and other sensitive information by financial regulators and private financial companies (including third-parties that share information with financial regulators and private financial companies) is something that deserves close scrutiny,” the lawmakers said in their request. “Americans are rightly concerned about how their data is collected and used, and how such data is secured and protected. The collection and use of personally identifiable information will be a major focus of the Banking Committee moving forward.”

The senators asked for responses to five questions: What can be done through legislation or regulation or by implementing best practices that would give consumers more control over and enhance the protection of consumer financial data, and ensure that consumers are notified of breaches in a timely and consistent manner; provide adequate disclosure to citizens and consumers about the information that is being collected about them and for what purposes; and give citizens and consumers control over how that data is used. They also wondered how to protect consumer data held by credit bureaus and how to make sure that the information is accurate, as well as how to allow a consumer to “easily identify and exercise control of data” that is collected and shared by data brokers and other firms and used as a factor in establishing eligibility for credit, insurance, employment or other purposes.

“Congress should make it easy for consumers to find out who is collecting personal information about them, and give consumers power over how that data is used, stored and distributed,” Sen. Brown said in a statement, decrying “outdated privacy laws.” Although the public input could be used to inform potential legislation, we note that the senators also asked what could be done through regulation or by implementing best practices.

Separately, some data protection regulations are already in place at the federal level, including the FTC’s Identity Theft Rules, which include the Red Flags Rule and the Card Issuers Rule. These two Rules are designed to cause financial institutions and creditors to detect, prevent and mitigate identity theft by identifying red flags and responding appropriately. The program must involve the board or senior management of the institution, requires the training of employees, and requires the institution to exercise proper oversight of third parties. Card issuers must also mitigate identity theft by implementing reasonable safeguards when address changes are made on accounts.

As part of the systematic review of its regulations, the FTC asked interested parties to comment on all aspects of both Rules, including whether a need exists to keep them, whether they should be modified, the benefits of the Rules and the economic impact.

In response, a group of 31 state regulators (30 attorneys general and the Hawaii Office of Consumer Protection) urged the agency to keep the Rules in place, albeit with some modifications. “Our offices receive numerous reports of data breaches each month,” the regulators wrote. “We strongly believe there is a continued need for the Rules, as repealing the Rules would leave consumers more vulnerable to identity theft.”

The Rules complement the laws of the states that have enacted data protection measures and appropriately place the burden on financial institutions and creditors, which are “uniquely positioned to help detect, deter and prevent identity theft,” according to the regulators from Alaska, California, Colorado, Connecticut, Delaware, District of Columbia, Hawaii, Illinois, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Nebraska, Nevada, New Jersey, New Mexico, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Utah, Vermont, Virginia, Washington and Wisconsin.

While the letter praised the flexibility of the Rules, which has allowed them to keep up with changes in technology, the regulators suggested a few modifications to the Interagency Guidelines to reflect the current environment. For example, one idea proposed is that if an email address or cellphone number has been changed around the same time that a physical address was changed, notification to the cardholder of a change of address request should be made using both the old and new email addresses, or both the old and new phone numbers.

Another proposal, “to highlight current best practices,” is that the Rules focus on knowledge-based authentication and could be updated to promote more modern forms of authentication, such as multifactor authentication.

In another suggestion aimed at making the Guidelines more in tune with current threats, the AGs suggested including examples of suspicious activity, based on new ways that identity thieves use stolen information, including “[a]n unauthorized user trying to guess account passwords over several unsuccessful attempts” and “a covered account accessed by new and previously unknown devices based on a user’s prior behavior pattern.”

A few other stakeholders also weighed in on the Rules. The American Financial Services Association (AFSA) told the FTC that the Red Flags Rule and Card Issuers Rule “are working as intended and do not warrant modification or rescission,” a position seconded by the American Bankers Association (ABA).

“Overall, we believe that both rules provide appropriate flexibility to accommodate changes in identity theft trends and the technology needed to combat identity theft,” the ABA wrote. “We do not believe it is necessary to amend them at this time.”

Many of the examples of red flags listed in the Red Flags Rule “remain useful and relevant,” the ABA added, and while some are dated, “banks continually supplement their lists based on trends, new technology and their experience, as the Red Flags Rule requires.”

The “general rather than prescriptive directive” found in the Card Issuers Rule “provides appropriate flexibility and efficiency by allowing financial institutions broad discretion in how they assess the validity of the address change request,” the ABA said, permitting banks to take advantage of faster, more effective, less intrusive and more cost-effective technology.

To read Sens. Crapo and Brown’s request for information, click here.

To read the regulators’ comment to the FTC, click here.

To read the AFSA comment, click here.

To read the ABA comment, click here.

Why it matters

Data security breaches occur on a frequent basis around the country. The Rules have now been in existence for over ten years, with few modifications, while data thieves have become more clever and sophisticated over that same period. While the FTC received few responses to its request for comments, this may be the year it considers updates to its guidance. Similarly, developments from the Senate Banking Committee and other corners of Capitol Hill suggest there is at least some chance that 2019 is the year when a federal privacy law finally materializes.