House Financial Services – Financial Institutions Subcommittee hearing on data breach legislation
House Financial Services – Financial Institutions Subcommittee
“Legislative Proposals to Reform the Current Data
Security and Breach Notification Regulatory Regime”
Wednesday, March 7, 2018
Key Topics & Takeaways
- H.R. 4028, The Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017 (Protect Act): The Protect Act and its impact on how credit bureaus are regulated was discussed throughout the hearing. Francis Creighton of the Consumer Data Industry Association voiced his concern with the Protect Act’s recommendation to phase out the use and handling of social security numbers. He noted the difficulty of finding an alternative identifier that is as reliable and universal.
- The Data Acquisition and Technology Accountability and Security Act: The hearing provided a variety of opinions in the discussion of this proposed legislation. This Federal breach notification bill seeks to harmonize existing state cybersecurity and breach notification rules. Sara Cable of the Massachusetts Office of the Attorney General expressed concern that this law, if enacted, would dilute the role states have in consumer protection and breach notification. While John Miller of the Information Technology Industry Council was in favor of federal preemption, he did have recommendations for improvement. Mr. Miller asked for clarification of the role of third parties who may also come into the scope of the law as a covered entity.
- Ms. Sara Cable, Director, Data Privacy and Security, and Assistant Attorney General, Office of the Attorney General, Commonwealth of Massachusetts
- Mr. Francis Creighton, President and Chief Executive Officer, Consumer Data Industry Association (TTF)
- Mr. John S. Miller, Vice President, Global Policy and Law, Information Technology Industry Council (TTF)
- Mr. Jason Kratovil, Vice President, Financial Services Roundtable (TTF)
Subcommittee Chairman Blaine Luetkemeyer (R-Mo.)
Luetkemeyer began his opening statement by explaining the current regulatory landscape for breach notification. In his explanation that 48 states and other U.S. territories have enacted data breach notification requirements, he noted that there is no reason that any state should have better protections than another. In promoting his bill, the Data Acquisition and Technology Accountability and Security Act (which is currently in the draft stage), Luetkemeyer called for the need of a national security standard with flexibility for individual companies based on size, scale, industry and sensibility.
Subcommittee Ranking Member Wm. Lacy Clay (R-Mo.)
Clay echoed Rep. Luetkemeyer’s message through a recounting of the Equifax data breach incident. He noted that events such as this has caused a data protection crisis. In addressing H.R. 4028, the Protect Act, Clay acknowledged that no current federal law requires credit freezes after a data breach. He noted that the current version of the Protect Act would require such a mechanism.
Ms. Sara Cable, Director, Data Privacy and Security, and Assistant Attorney General, Office of the Attorney General, Commonwealth of Massachusetts
In her testimony, Cable shared her experience working at the Massachusetts Office of the Attorney General, noting that the state has some of the strongest data breach protections in the country. She then moved to her concerns regarding the current federal data breach bill. Generally, Cable argued that this bill would restrict the role that current state Attorney Generals have in protecting their constituents. Specifically, she noted that 1) notifying consumers about a breach after a determination of potential harm goes against states who try to notify before a harm has occurred; 2) unlike 24 states, the federal bill does not require companies to notify the respective state Attorney General; and 3) that the threshold of 5,000 effected individuals is too high and may create a blind spot for those consumers who are currently notified on a state level.
Mr. Francis Creighton, President and Chief Executive Officer, Consumer Data Industry Association
In his testimony, Creighton opened by acknowledging that he was representing the interest of credit bureaus, noting how well regulated these entities already are. He cited the Gramm-Leach-Bliley Act (GLBA), the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information, and the Fair Credit Reporting Act (FCRA) as regulations that already subject credit reporting companies to consumer protection and cybersecurity requirements. Creighton, in addressing the Protect Act, stated that the regulation would be better informed once the Equifax investigation is complete. He closed by noting his concern with the Protect Act’s provision that eliminates social security numbers, stressing that it is the only reliable and universal identifier.
Mr. John S. Miller, Vice President, Global Policy and Law, Information Technology Industry Council
Miller began his testimony by stating his agreement with the general purpose of the Data Acquisition and Technology Accountability and Security Act, noting the need for a uniform and standardized breach notification law. Much of his testimony, however, focused on areas the bill can be improved. With respect to security requirements, Miller recommended a heightened standard of proof when a company employs a government-approved safeguard. Miller advocated for further clarity on the definitions of third parties and covered entities and argued that third parties cannot be expected to report or notify, as the bill currently does not involve them in the investigation. Miller stressed that covered entities should only be those who license or own the data in question.
Mr. Jason Kratovil, Vice President, Financial Services Roundtable
In his testimony, Kratovil stated that the Data Acquisition and Technology Accountability and Security Act sets a high bar for data security. In response to Ms. Cable’s previous remarks that notification must be timelier than the bill allows, Kratovil argued that breach notification must be tied to an assessment of risk. He contended that notice must be viewed as a call to action and that any over-notification would make consumers desensitized to breaches. Kratovil acknowledged the concern over duplicative requirements, stressing that a revised bill should recognize that financial institutions have existing federal requirements.
Question and Answer
Luetkemeyer asked Creighton what effect the Protect Act would have on credit unions if signed into law. Creighton responded that credit unions would be subject to the current FTC safeguard rules and the Data Acquisition and Technology Accountability and Security Act, which would impose a heightened standard. He also reemphasized that if the Protect Act intends to phase out social security numbers, there needs to be an alternative universal identifier.
Luetkemeyer then turned Kratovil to inquire about how GLBA sets a requirement for data breach protection. Kratovil said there was no requirement, but rather that GLBA implemented guidance on information security and breach notification. He noted that banks are examined to ensure compliance and that enforcement tools can ensure such compliance.
Luetkemeyer concluded by asking Miller about how he would structure the regulation of third parties, while also cautioning against the European Union’s General Data Protection Regulation (GDPR) informing U.S. policy in this area. Miller restated that third parties and covered entities have overlapping requirements in the proposed bill. He suggested tightening the focus around who is handling and storing the data. He concluded that since the goal of the bill is to provide meaningful notification, then it is not necessary for third party breach notification.
Clay asked Cable how the state of Massachusetts would be compromised by the new federal data breach notification bill. She noted that Massachusetts sets a higher standard of notice and remedial measures. Additionally, Cable opined that federal preemption would harm consumers, as the federal definition of personal information is narrower than states like Massachusetts. She expressed her concern that preemption would block certain measures in state law that did not pertain to data breach notification or protection.
Rep. Keith Rothfus (R-Pa) asked the panel what they thought was the best way to balance breach notification and correction action. Miller suggested that while companies want to provide notice as quickly as possible, certain states have a numeric timeline to notify that is not helpful (much like the EU’s General Data Protection Regulation’s 72-hour requirement.) Kratovil supplemented this by stating that no two breaches are the same and companies need time to investigate and understand the existence and scope of the breach.
Rothfus then asked if businesses of all sizes should be subject to this rule. Kratovil concluded that there needs to be a scalable framework, so companies can evaluate what cybersecurity measures they need to have in place.
Rep. David Scott (D-Ga) acknowledged that that Protect Act only requires enhanced protections for large consumer reporting agencies. Ms. Cable agreed that a higher standard over GLBA is needed to ensure enhanced cybersecurity measure for all credit agencies.
Rep. Robert Pittenger (R-NC) asked the panel about what can be done about social security numbers being compromised. Miller suggested that innovative technology solutions could produce an alternative to social security numbers. Creighton explained that while social security numbers the ability to match the right name to the right file, at the moment there is no alternative to this identifier.
Pittenger followed up to ask the panel to clarify the role of law enforcement when a data breach occurs. Kratovil noted that companies work with the Secret Service and FBI in the investigation of a breach. Creighton explained that sometimes, law enforcement requires nondisclosure of the breach until the investigation is complete.
Rep. Denny Heck (D-Wash.) asked Cable if there was support for a carve out for state insurance regulators. She noted that breaches are usually caused by human error and she suggested that companies should increase their minimum data security standards because they are important. Heck then focused on the provision of the breach notification draft legislation that states, “without unreasonable delay.” He asked what the meaning of “reasonable” was. Cable responded that each breach is different, and it is up to a judge to define reasonableness based on the facts and circumstances of the case.
Rep. Scott Tipton (R-Colo.) asked the panel why it is importance to have harmonization amongst the states. Kratovil noted that some states not have data security laws and that timing is an important topic, as many states have their own timelines. He suggested that a federal framework should set appropriately high standards. Miller followed up to say that standardizing the timing would be helpful for harmonization.
Rep. Al Green (D-TX) opined that the federal standard should not be weaker than the state standards. Rep. Green then asked the panel if the draft bill was a “floor” or a “ceiling” regarding disclosure. All four raised their hands to acknowledge it was a ceiling, while Ms. Cable cautioned that this bill would lock consumers into a weaker set of protections as breaches continue to multiply.
Rep. Roger Williams (R-Texas) began his questioning by asking about the importance of scalability in consumer protection. Kratovil stated that flexibility is important, and that the complexity of the business should be accounted for when imposing data security requirements. Rep. Williams then asked why there is a resistance to premature notification. Kratovil explained that oftentimes hackers are still in the system when a breach is discovered and thus companies need to take remedial measures before disclosure.
Rep. Barry Loudermilk (R-Ga) asked the panel to clarify the requirements of GLBA. Kratovil explained that the data security requirement as affirmative and that regulators and examiners see the requirement as mandatory.
Loudermilk then moved to ask Miller about third party liability issues. Miller noted that third parties come in all shapes and sizes. He argued that the key to liability is setting up proper contractual obligations requiring cybersecurity measures.
Rep. Mia Love (R-Utah) asked the panel to comment on the EU’s GDPR standards. Creighton explained that there would not be much of an impact on credit bureaus, since they collect a narrow scope of information. Miller noted that while the 72-hour notification requirement is troublesome, it is difficult to gauge the GDPR’s impact prior to implementation.
Rep. Claudia Tenney (R-N.Y.) asked if a national standard is better than state standards for data breach notification. Kratovil noted that the federal standard should be strong, with flexibility for small businesses. Tenney then asked how they make this cost effective for small businesses. Kratovil noted that the bill considers this flexibility and noted the existence of private-sector Information Sharing and Analysis Centers (ISACs) that exist to share information among market participants.
Rep. Dave Trott (R-Mich.) asked if there is enough flexibility in the bill, as businesses are vulnerable to hacks. Miller noted that it is importance to not be too prescriptive in the standards. He explained that a list of safeguards in the bill are consistent with risk management principles. Trott then followed up to ask what flexibility should be built in to evolve over time. Miller suggested that the requirements themselves should be technology neutral.
Rep. Luetkemeyer concluded the hearing by expressing his disappointment in comments regarding the timing of breach notification, stating that breach determinations are not immediate. He stressed the need to find a balance in all of this and cautioned that the House of Representatives is only “one major breach away” from this bill being fast tracked.
For more information on this hearing, please click here.