Data security legislation for financial services firms introduced last week in the House would bar states from imposing their own standards but would at the same time mandate that states enforce the standards as they relate to insurance companies.
The bill, introduced with bipartisan support, would safeguard sensitive consumer information, fight identity theft and create a uniform standard for notifying consumers of data breaches.
But the enforcement provision also has triggered conflict within the industry, with industry trade groups apparently concerned about the provision along fault lines based on their vision about how the industry should be regulated going forward.
Data security is becoming a priority in Congress, especially since the records of several credit card processing companies were breached this summer.
The bill, titled the “Financial Data Protection Act of 2005,” would prevent data breaches by mandating a strong national standard for the protection of sensitive consumer information. It would do this by requiring institutions to notify consumers that their information has been compromised and could be used by identity thieves, and providing consumers with a free six-month nationwide credit monitoring service upon notification of a breach.
A spokesman for the American Council of Life Insurers said the industry “takes protection of consumers’ personal information very seriously and we are working closely with the sponsors of the bill.”
But ACLI also implied that it might seek changes when the House Financial Services Committee looks at the bill on such issues as preemption, notification and enforcement.
“ACLI supports federal legislation that provides uniform preemptive national standards for notification to individuals whose personal information has been subject to a security breach,” said Whit Cornman, an ACLI official. “The substantive provisions of any federal security breach notification legislation should be preemptive to the greatest extent possible.”