The House Financial Services Committee is considering legislation that would establish a national standard on data security, but at press time it appears unlikely that it will act before a scheduled recess.
Several Senate committees also are working on similar legislation. The Senate Banking Committee, among other panels, is drafting a bill, but it is unclear when the bill will be unveiled and acted on in that committee.
The House bill, introduced last October, would bar states from imposing their own standards but would at the same time mandate that state regulators enforce the standards as they relate to insurance companies.
That issue is critical to supporters of continued state regulation of insurers and was accepted by the committee leadership despite efforts from some corners of the industry to have the Treasury Department or the Federal Trade Commission oversee insurance industry compliance with the law.
The bill, introduced with bipartisan support, would safeguard sensitive consumer information, fight identity theft and create a uniform standard for notifying consumers of data breaches.
When it was introduced, the National Association of Mutual Insurance Companies, Indianapolis, said it would support the bill, which it called “a reasonable attempt to address consumers’ concerns about identity theft in a way that reflects the practicality of business operations.”
Data security is becoming a priority in Congress, especially since the records of several credit card processing companies were breached during the summer.
The bill would prevent data breaches by mandating a strong national standard for the protection of sensitive consumer information; require institutions to notify consumers that their information has been compromised and could be used by identity thieves; and require institutions to provide consumers with a free six-month nationwide credit monitoring service upon notification of a breach.
David Winston, NAMIC senior vice president for federal affairs, said the bill “is supportable because it requires notice to consumers only if it is determined that the breached information is reasonably likely to be misused.
“This is an important qualifier because there are many breaches that do not present such a risk and requiring disclosure of all breaches would overwhelm businesses and likely produce such frequent consumer notices that consumers would just throw them away,” Winston said.
Other provisions that make the bill supportable for small insurers include that the mandate will be enforced by an institution’s functional regulator. “In the case of insurers, this would mean the regulator in the state of domiciliary,” Winston said. “This is very important as the enforcer could have been the Treasury Department or the Federal Trade Commission.”
The bill also provides a safe harbor from lawsuits if reasonable polices and procedures are in place and mitigation services such as credit monitoring are provided, he said.
Under the bill, a breached organization would be required to provide consumers, free of charge, a service that monitors consumer credit files so they will be informed if attempts are made to open a new line of credit in their name.
The bill was introduced by several members of the House Financial Services Committee, including Reps. Steve LaTourette, R-Ohio, Darlene Hooley, D-Ore., Michael Castle, R-Del., Dennis Moore, D-Kan. and Deborah Pryce, R-Ohio, chairman of the committee’s Domestic and International Monetary Policy Subcommittee.