Senate Data Breach Bill Offers Preemption, ‘Substantial Harm’ Standard
Consumers would have to be likely to suffer “substantial harm,” not simply “embarrassment,” from a data breach, for breached entities to have to notify them, under a bill introduced this week by Sens. Bennett (R-Wyo.) and Carper (D- Del.). The Data Security Act (S-3568) would set a national notification standard, preempt state trigger laws, and require breached entities to notify relevant agencies, police authorities, account-holding institutions, credit reporting agencies and affected consumers. The FTC would handle oversight for entities not covered by the Gramm-Leach-Bliley Act (GLBA), which covers financial institutions. The bill was referred to the Senate Banking Committee.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The Senate bill is “one of the last few pieces of the puzzle,” Financial Services Roundtable Vp-Govt. Affairs Andy Barber told us. Given similar bills passed by the Senate Commerce (S-1408) and Judiciary (S-1789) committees, the remaining task is to reconcile a few sticking points. Passage becomes “more of a calendar issue” than substantive dispute, he said. Among major differences, the Judiciary bill would give state attorneys general enforcement powers and apparently would not preempt all provisions of state laws.
The financial and banking industries see the bill as the appropriate extension of GLBA to nonfinancial entities that handle sensitive personal and account information. S-3568 is “much more targeted at what the problem is,” which is lax security in other industries, a spokeswoman for the American Bankers Assn. (ABA) told us. The Office of the Comptroller of the Currency is the only agency with guidelines for safeguards and breach notification; the new Senate bill would extend that govt.-wide, data security attorney Andy Serwin told us, calling it a “middle-of-the-road approach.” The Bennett-Carper bill simply has “exported and made [data security] an everyday responsibility of any entity,” Barber said: It requires “everyone [to be] invested in the front- end protection.”
The Bennett-Carper bill strongly resembles HR-3997, approved by the House Financial Services Committee, Consumers Union Policy Analyst Susanna Montezemolo told us. That House bill contained a notice requirement preempting state notice laws which wouldn’t let consumers “know of security breaches when they need to know to protect themselves,” she said.
Scope of preemption is the key to the bill, Montezemolo said. Some data security legislation is written so broadly as to stop states from “innovating in areas that the federal government hasn’t covered,” she said. For example, HR-3997 would limit credit freezes -- also known as security freezes -- to ID theft victims, so the absence of a specific limitation on freezes in the Senate Banking bill is good news for consumer advocates wanting such provisions left to states, she added. But the ABA spokeswoman said the bill is clear in preempting state freeze provisions. Freeze proposals were the biggest partisan divide in a March markup session on HR-3997 (WID March 17 p3).
A free credit freeze for all affected by breaches is “like using a hammer to kill a fly,” the ABA spokeswoman said. The Fair & Accurate Credit Transactions Act already offers an initial 90-day freeze for any consumer regardless of account fraud; for ID theft victims, that period is extended for 7 years, she said. Fraud alerts “slow down things a little bit” without creating a freeze’s unintended consequences, such as keeping people from getting quick cash in emergencies, she added. Most consumers don’t know they can get a credit freeze, Serwin said, calling them a “mixed bag” for their potentially negative effect on credit ratings.
Relevant federal agencies -- “functional regulators” in the bill’s parlance -- for each industry have little consumer protection experience, save for the FTC, Montezemolo said. But industry players disagreed; regulators for each industry will err on the side of notification for “close calls,” Barber said. It’s not agencies’ fault breaches, if not necessarily on the rise, are expanding in method, Serwin said. New situations, such as breaches through flash drives, are catching everyone off guard. “The answer is probably ’sort of'” on agency competency to oversee and enforce data security rules under the bill, he said. Court decisions may affect the legislation, Serwin said, citing a recent Minn. court ruling that loss of a laptop full of personal data didn’t constitute a GLBA violation.
A plethora of data breach bills in both chambers snarls predictions on which will get through and which might merge. It’s “pretty early in the process of reconciling this” with the Senate Judiciary and Commerce bills, Barber said. Of chances of any data security bill passing this year, Serwin called himself a skeptic. The NSA e-surveillance controversy has captivated consumers more than data breaches, so far little damage has emerged in the VA breach and consumer groups don’t see the dominant bills as consumer-friendly enough, he said. Bills with broad preemption of state laws - - House Financial Services, Senate Commerce and Senate Banking -- are more likely to continue on in some form, he predicted.