On March 7, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime” to discuss data security and breach notification rules and cybersecurity supervision and examination standards for reporting agencies. Subcommittee Chairman Blaine Luetkemeyer, R-Mo., opened the hearing by stating that “[f]orty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted differing laws requiring private companies to notify individuals of breaches of personal information,” and emphasized the need for a “national solution” to create data security safeguards and responsible notification processes.

Legislation. The hearing discussed two legislative proposals sponsored by Representatives Luetkemeyer and Patrick McHenry, R-NC, respectively: the “Data Acquisition and Technology Accountability and Security Act” (DATAS Act) and the “Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017” (PROTECT Act). The DATAS Act would, among other things, (i) establish broad standards for data protection across industries; (ii) create new federal post-data breach notification requirements; and (iii) establish steps that covered entities must take to notify regulators, law enforcement, and victims after certain types of data breaches. Included within the PROTECT Act are provisions that would (i) subject large consumer reporting agencies to cybersecurity supervision and examination measures; (ii) amend the FCRA to allow consumers to request security freezes be placed, removed, or temporarily lifted on their credit reports; (iii) provide provisions for fees and exceptions from such fees; and (iv) prohibit consumer reporting agencies from including a consumer’s Social Security number in a credit report or being used as a method to identify a consumer.

Hearing Testimony. The hearing’s four witnesses provided testimony related to current issues with data beaches and protecting consumer information, and commented on the inconsistencies in data breach laws. Among the issues discussed were (i) the challenges of creating a “universal, unique identifier” separate from a Social Security number; (ii) efforts to establish streamlined, uniform, national data breach notification, security, and credit freeze standards; and (iii) the need for U.S. businesses that handle sensitive financial information to implement measures to protect the data and maintain consumers’ trust. Massachusetts Assistant Attorney General and Director of Data Privacy & Security for the Attorney General’s Consumer Protection Division, Sara Cable, stated in her written testimony and during the hearing that the proposed DATAS Act’s consumer notice provisions would “leave consumers in a worse position than the status quo.” She also expressed concern that the bill “allows entities to push the cost of the data security crisis onto consumers without providing any meaningful remedy, strips the state Attorneys General of the authority they are presently and actively using to protect their consumers from breaches, and hamstrings efforts of the States to enact laws in response to future risks in an era of increasing and rapidly evolving technology.”