House Committee Considers Data Security Legislation

NACS raises concerns over subcommittee proposal.
March 08, 2018

Washington -- Yesterday, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing, “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime.” The legislative hearing considered two legislative proposals. The first, H.R. 4028, the “Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017,” was introduced by Rep. Patrick McHenry (R-NC). The second proposal discussed was the “Data Acquisition and Technology Accountability and Security Act" draft bill authored by the Subcommittee’s Chairman Blaine Luetkemeyer (R-MO) and Rep. Carolyn Maloney (D-NY).

The panel was comprised of the following witnesses:

  • Ms. Sara Cable, Director, Data Privacy and Security, and Assistant Attorney General, Office of the Attorney General, Commonwealth of Massachusetts
  • Mr. Francis Creighton, President and Chief Executive Officer, Consumer Data Industry Association
  • Mr. John S. Miller, Vice President, Global Policy and Law, Information Technology Industry Council
  • Mr. Jason Kratovil, Vice President, Financial Services Roundtable

Chairman Luetkemeyer opened the hearing citing the current crisis that is on our hands with the state of data security in the United States. Luetkemeyer stated, “It is data insecurity rather than security at this point.” He released his draft bill two weeks ago and moving the bill through the full Committee once the language is finalized and formally introduced is his top priority.

NACS and a number of other stakeholders sent a letter to the subcommittee laying out significant concerns with provisions in the draft bill.

“The draft bill does not ensure that all breached businesses have obligations to investigate and provide notice to regulators and consumers of their breaches. Instead, the draft carves out exceptions from notice for three categories of businesses: “third parties;” “service providers;” and a large category of financial institutions,” states the letter.

In a separate letter to the Subcommittee, NACS underlined the concern that the draft bill exempts certain breached-businesses from notification, leaving the non-breached businesses responsible for interfacing with consumers.

NACS stated, “If legislation locks in exemptions from data breach notification for certain industries, we are bound to weaken our national data security and be caught unaware by the insecurity of our data.  We will have fraud without any idea from whence it came and be without the information to make improvements in the future.  Secret breaches cannot be the result of good legislation.”

NACS continues to advocate for data security and breach notification policy that ensures the entity that experiences the breach is responsible for notification. Chairman Luetkemeyer is expected to introduce his bill formally this spring. Stay tuned to the NACS Daily for updates.