Legislation establishing a national standard on data security was passed by the House Financial Services Committee late on March 16. But the bill faces an unclear path to passage this year because of consumer concerns voiced by Democrats about the precise rights individuals have to protect themselves when a data security breach occurs.
The insurance industry also has concerns. For example, the American Council of Life Insurers said the bill does not provide a clear, preemptive standard for life insurers with respect to investigation and notice of security breaches.
“Clarity and uniformity are vital in this area,” said Jack Dolan, a spokesman for the ACLI. “Unfortunately, the legislation may open the door to various approaches in the states to when investigations of potential data breaches need to be launched and when consumers need to be notified.
“ACLI does not think it wise for consumers in one state to enjoy protections unavailable to consumers in another state,” Dolan said. In addition, “a hodgepodge of rules throughout the country results in onerous, unnecessary and costly burdens on insurers.”
The bill passed the House panel, 48-17, after more than 24 hours of maneuvering to win support for changes in the original legislation acceptable to insurers.
Various Senate committees have jurisdiction over the issue, and none has acted on similar legislation so far this year. The Senate Banking Committee, whose legislation is likely to set the standard for Senate action, has promised to deal with the issue this spring, but no firm date has yet been determined.
The bill in the House Financial Services Committee, which follows a string of high-profile data security breach cases reported by banks and credit card issuers, lays out requirements for companies to investigate and notify customers, law enforcement and credit-reporting agencies when there is a breach.
Under language hammered out by congressional staff, the bill had required investigations and notification when the unauthorized use of data was likely to result in “substantial harm or inconvenience” to consumers.
The industry also was successful in modifying the manager’s amendment to remove the word “substantial” from language in the provision as to what triggered notification procedures and other safeguards for consumers.
The industry was able to defeat efforts to provide state attorneys general with enforcement authority, weaken overall preemption and remove the preemption applicable to credit freezes.