Members of the U.S. House Financial Services Committee voted 48-17 Thursday to approve H.R. 3997, a bill that could affect how insurers respond to breaches of customer data security.
The bill, the Financial Data Protection Act of 2005, continues to face attacks from some Democrats, who want to strengthen protections for individuals affected by breaches of data security.
The American Council of Life Insurers, Washington, also is expressing concerns about H.R. 3997.
H.R. 3997 does not provide a clear, preemptive standard for life insurers with respect to investigation and notice of security breaches, the ACLI says.
“Clarity and uniformity are vital in this area,” says ACLI Jack Dolan. “Unfortunately, the legislation may open the door to various approaches in the states to when investigations of potential data breaches need to be launched, and when consumers need to be notified. ACLI does not think it wise for consumers in one state to enjoy protections unavailable to consumers in another state.”
Variations in state data security rules could also raise costs for insurers, Dolan says.
Several Senate committees share jurisdiction over data security. The Senate Banking Committee says it will take up the issue this spring.
H.R. 3997 establishes the investigation and notification process that insurers and other financial service companies would have to follow after learning of a data breach. Affected companies would have to warn customers, law enforcement agencies and credit-reporting agencies when there was a breach.
Under language hammered out in the past week by congressional staff, the bill had required investigations and notification when the unauthorized use of data was likely to result in “substantial harm or inconvenience” to consumers.
Insurers were successful in modifying the manager’s amendment to remove the word “substantial” from language in the provision referring to what would trigger notification procedures and other safeguards for consumers.
The insurance industry also defeated efforts to provide state attorneys general with enforcement authority, weaken overall preemption, and remove the preemption applicable to credit freezes.