In the spirit of National Cybersecurity Awareness Month, BSCR reports that Rep. Luetkemeyer of Missouri introduced H.R. 6743, a measure aimed at amending the Gramm-Leach-Bliley Act to provide a national uniform standard for addressing cyber security data breaches. The bill has already made some traction, as it was ordered by vote to be reported to committee last month.
Some key amendments would be to revise the following two sections of the GLBA:
Standards with respect to breach notification
Each agency or authority required to establish standards described under subsection (b)(3) with respect to the provision of a breach notice shall establish the standards with respect to such notice that are contained in the interpretive guidance issued by the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision titled Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, published March 29, 2005 (70 Fed. Reg. 15736), and for a financial institution that is not a bank, such standards shall be applied to the institution as if the institution was a bank to the extent appropriate and practicable.
Relation to State laws
This subtitle preempts any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State, or political subdivision of a State, with respect to securing personal information from unauthorized access or acquisition, including notification of unauthorized access or acquisition of data.
The full text of the proposed amendments can be found at this link.
It is this second provision that is troubling some state-level authorities. In a letter to Chairman Hensarling, John W. Ryan, the President and CEO of the Conference of State Bank Supervisors (CSBS) expressed concern on behalf of state regulators that the bill, if enacted into law, could hurt efforts to protect consumers more than help. Arguing that the GLBA and state privacy laws already provide sufficient guidance for cyber breach events, Mr. Ryan contends that H.R. 6743 would actually undermine state consumer protection laws, and that it would undermine the authority of state attorneys general and other authorities to enforce reporting requirements.