Data security legislation for financial services firms introduced last week in the House would bar states from imposing their own standards but would at the same time mandate that states enforce the standards as they relate to insurance companies.
The bill, introduced with bipartisan support, would safeguard sensitive consumer information, fight identity theft and create a uniform standard for notifying consumers of data breaches.
But the enforcement provision also has triggered conflict within the industry, with industry trade groups apparently concerned about the provision along fault lines based on their vision about how the industry should be regulated going forward.
Data security is becoming a priority in Congress, especially since the records of several credit card processing companies were breached this summer.
The bill, titled the “Financial Data Protection Act of 2005,” would prevent data breaches by mandating a strong national standard for the protection of sensitive consumer information. It would do this by requiring institutions to notify consumers that their information has been compromised and could be used by identity thieves, and providing consumers with a free six-month nationwide credit monitoring service upon notification of a breach.
A spokesman for the American Council of Life Insurers said the industry “takes protection of consumers’ personal information very seriously and we are working closely with the sponsors of the bill.”
But ACLI also implied that it might seek changes when the House Financial Services Committee looks at the bill on such issues as preemption, notification and enforcement.
“ACLI supports federal legislation that provides uniform preemptive national standards for notification to individuals whose personal information has been subject to a security breach,” said Whit Cornman, an ACLI official. “The substantive provisions of any federal security breach notification legislation should be preemptive to the greatest extent possible.”
The National Association of Mutual Insurance Companies said it supported enforcement by state or “functional” regulators.
“This is very important as the enforcer could have been the Treasury Department or the Federal Trade Commission,” according to David Winston, senior vice president, government relations, at NAMIC.
The ACLI’s reasons for desiring regulation by the Treasury is that it is lobbying heavily for legislation that would create an optional federal charter, hopefully as a sub-agency housed within Treasury.
The bill also provides a safe harbor from lawsuits if reasonable polices and procedures are in place and mitigation services such as credit monitoring are provided, Winston said.
Under the bill, a breached organization would be required to provide consumers, free of charge, a service that monitors consumer credit files so they will be informed if attempts are made to open a new line of credit in their name.
Cornman added, “We support legislation that avoids needlessly alarming individuals and undermining the significance of notification by requiring it only when the security and confidentiality of consumers’ personal information is truly at risk.”
The bill was introduced by several members of the House Financial Services Committee, including Reps. Steve LaTourette, R-Ohio, Darlene Hooley, D-Ore., Michael Castle, R-Del., Dennis Moore, D-Kan. and Deborah Pryce, R-Ohio, chairman of a subcommittee.
The enforcement provision has triggered some conflict among different sectors of the industry