Congress Holds More Hearings on Data Security

Two House committees hold more hearings in response to recent data breaches.

November 08, 2017

WASHINGTON – On November 1, subcommittees of the House Energy and Commerce Committee and the House Financial Services Committee held a second round of hearings stemming from the Equifax data breach. 

The House Financial Services Subcommittee on Financial Institutions and Consumer credit held an oversight hearing, “Data Security, Vulnerabilities and Opportunities for Improvement.” Witnesses included the Securities Industry and Financial Markets Association, American Land Title Association, the National Association of Federally-Insured Credit Unions and the U.S. Public Interest Research Group. In this hearing, the subcommittee went beyond Equifax and credit reporting agencies to looking at data security more broadly.

In questions to the panel, merchants were characterized as “the weakest link” in data security. However, there were no merchant or retail groups testifying at the hearing. Members of the committee called for legislation on a federal requirement to notify consumers in the event of a breach.

The House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection also held its oversight hearing, “Securing Consumers’ Credit Data in the Age of Digital Commerce.” Witnesses included the Consumer Data Industry Association and think tanks and academic experts from John Hopkins University and the Harvard Kennedy School of Public Policy. 

While the committee kept focused on consumers’ financial and credit data, they also had an eye to looking at legislation on a federal data breach notification requirement. Some members of the committee went further stating that “disclosure is not enough” and that fines and penalties need to be strengthened. 

The Senate Commerce Committee is expected to hold hearings on data security in the coming days and will look at not only the Equifax breach, but other significant data breaches such as the Yahoo breach.

NACS Position
In response to the proliferation of highly publicized data breaches, Congress is considering legislation that would create a federal data breach notification requirement and data security standard.

NACS believes that federal legislation should incorporate the following principles:

  • Ensure all breached entities have notice obligations so that telecommunications companies, banks, card networks, card processors, and others cannot have a breach and push their notification obligations onto retailers.
  • Do not exempt favored industries (like financial services businesses) from data security or data breach responsibilities.
  • Promote reasonable data security standards without dictating detailed requirements that are not appropriate for many businesses.
  • Maintain an appropriate enforcement regime so that the Federal Trade Commission cannot immediately seek penalties without first giving businesses a chance to come into compliance.
  • Establish a uniform nationwide law that preempts state laws.
Advertisement
Advertisement
Advertisement