Expect House Financial Services to Advance Draft Data Breach Bill, Stakeholders Say
Amid a steady stream of data breach news, there's broad agreement from various industries that Congress should establish a federal notification standard, but disagreement remains between retail groups over data security mandates, stakeholders told us.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Consumer Data Industry Association CEO Francis Creighton said the debate continues over setting a security standard that could apply to everything from major banks to corner store retailers. The goal is a scalable standard, he said, ensuring a liquor store, for example, isn't held to the same standard as an international financial institution. The Retail Industry Leaders Association -- which includes Home Depot, Walmart and Target -- agrees some sort of standard is needed, but there has been difficulty drawing that line with smaller retailers led by the National Retail Federation, which also represents many of the larger companies. “But most people agree, I think it’s fair to say, that if you touch the data, you should have to protect the data,” Creighton said.
Rep. Blaine Luetkemeyer, R-Mo., and Rep. Carolyn Maloney, D-N.Y., are working through a draft legislative proposal that would establish broad data security and data breach standards across industries. An aide for Maloney said the bill is “very much still a draft” and her office is working with consumer groups on updating the language. An aide for Luetkemeyer said there has been no significant update since the last hearing in March, in which Creighton testified.
Paul Martino, vice president and senior policy counsel at the National Retail Federation, said the bill doesn't have wide consensus across industries, saying support mainly originates from the financial sector. About a dozen trade groups continue to have major concerns about the legislation, he said, including groups from the convenience store, grocery, hotel, real estate, travel and restaurant industries.
Financial Services Roundtable Vice President-Government Affairs Jason Kratovil also testified at the March hearing. He told us to expect the committee to advance the draft legislation in the “not-too-distant future.” Small retailers are afraid the legislation would ask too much of them in data security mandates, he said, but there's consensus a standard is needed. “There have been enough data breaches where I think people are pretty sick and tired of it, and I think there is a reasonable expectation out there that if companies are holding onto customers' data, they should be taking steps to make sure it’s kept safe,” he said, saying the draft bill allows a flexible framework for companies across the economy.
The Consumer Data Industry Association introduced its own wrinkle into the conversation, suggesting the legislation should allow breached entities to alert credit bureaus before the public, so the credit bureau can prepare for an increase in traffic. “We expect in the wake of a breach, people are going to be checking their credit report … so we want to be able to bring on extra staff, set up the call centers, that kind of thing,” Creighton said.
CyberVista Chief Cyberstrategy Officer Simone Petrella agreed it would be beneficial to have at least one overarching, consistent rule at the federal level. National Retail Federation Vice President-Government Affairs Public Relations Craig Shearman said the organization supports a national standard that would pre-empt state and local data breach laws. The American Bankers Association also supports a federal, pre-emptive standard. ABA chief legislative counsel William Boger said, “We’ve been supportive of it, and we hope that the bill moves forward.”
Paul Rosenzweig, former deputy assistant secretary at the Department of Homeland Security and founder of Red Branch Consulting, argued having a federal standard won't necessarily make the country more secure than the current state-by-state framework allows. “This is not something that burns for making the world a safer place,” he said. He argued a one-size-fits-all approach doesn’t necessarily satisfy all data-breach scenarios, and sometimes delayed breach notification benefits an investigation.
Petrella said having more than 50 regulations makes it difficult for companies to comply because every regulation has different requirements. The key will be establishing a standard that doesn’t create a market where there's so much data breach notification that the public becomes desensitized to it and stops paying attention. With news of data breaches becoming more frequent, and the recent allegations of data misuse in the Facebook-Cambridge Analytica scandal, there's a perfect storm between data privacy and control, she said: “The recent revelations around Facebook and tech and marketing and use of data issues from a privacy perspective, I think those three things combined are what ultimately ends up forcing some sort of action.”