Industry groups are focusing on a handful of thorny issues in draft data security and breach notification legislation, including one -- on the responsibilities of third parties -- that could threaten a key cross-industry coalition just as a House Financial Services subcommittee prepares to begin moving a bill as soon as next week.
Other issues, such as how quickly consumers must be notified of hacks, security standards and pre-emption of state laws, also pose challenges as lawmakers attempt to address a topic that has stymied Congress for much of the last decade.
House Financial Services financial institutions and consumer credit subcommittee Chairman Blaine Luetkemeyer (R-MO) last week circulated revised draft language of his bill and plans to hold a legislative hearing, perhaps when Congress returns from recess next week. A markup would follow shortly, according to sources. Nothing has been put on the calendar so far though.
Sources on Capitol Hill and in the business community have suggested that maintaining an industry alliance on the legislation is essential to avoiding conflicting approaches by the House Financial Services and Energy and Commerce panels, which doomed past legislative efforts and could dissipate momentum generated in the aftermath of the Equifax breach.
Some observers say subsequent action in the Senate could be even more difficult.
“The draft is a strong first step toward actually moving a bill,” according to Jason Kratovil of the Financial Services Roundtable. “We hope they find a way for the two committees to work together. Hopefully this will be the Congress in which a bill actually passes at least one chamber.”
But industry insiders said the draft bill's language on third parties' responsibilities could undermine a delicate compromise between the financial services sector and major retailers. The telecom industry has also signed onto that compromise while a representative of BSA -- The Software Alliance spoke favorably of the Financial Services Committee's emerging approach at a hearing last week.
The draft language requires third-party contractors to notify the “covered entity” of a breach, such as a retailer, which in turn would notify customers.
However, a retail sector source said, “The notification obligation should go all the way from the breached party to the consumer, not just from the third-party contractor to the covered entity."
The source said “having your name on the line is a good motivator,” which wouldn't be present if third parties simply notify the covered entity.
Another retail source said, “If Financial Services comes forward with a good bill on the third-party issue, that will put pressure on the Energy and Commerce Committee to move as well.”
Energy and Commerce has jurisdiction over many of the industry groups that would be covered by the legislation, as well as over the Federal Trade Commission that would play a central enforcement role.
“If Financial Services moves a bill with bad third-party language, the broad coalition falls apart and Energy and Commerce probably walks away,” the retail source said. “But the best case is the two committees work together in tandem.”
The retail source added, “We've reminded the Financial Services Committee that your goal should be to have a strong coalition and a big bipartisan vote.”
But a source close to another industry said the retail sector-favored approach would create several problems, including notifications to consumers from unfamiliar third parties as well as the possible need to give a breached third party “even more personal information” in order to perform the notifications.
“Luetkemeyer made a policy determination that it doesn't make sense in statute to make the third party responsible to do the notification to consumers,” the source said. “But it does require the third party to participate in the investigation."
Congressional sources said talks continue with stakeholders, both at the Financial Services panel and at the Energy and Commerce Committee. Energy and Commerce has been holding “listening sessions” with interested parties. The next such session will be on the third-party issue, according to sources, possibly next week or the week after.
Luetkemeyer's approach to another issue -- on federal pre-emption -- is strongly supported by the Financial Services Roundtable and major retailers, but is also sure to spur a fight over state authority to craft stronger data security and notification rules.
“Pre-emption makes a tremendous amount of sense,” said FSR's Kratovil. “Few things call out more for a federal law. We support a federal ceiling as long as the security language is strong enough.”
Kratovil added: “If Congress is going to act, the first thing is to create a robust framework to make sure data is safe. The best way is to prevent breaches from happening so you never get to the notification stage. The legislation sets a high bar but it doesn't overburden small entities.”
The retail source said “the big bone of contention” with banks has often been around security, and that the draft “does a nice job of not going too far but having a real standard.”
Many states and their consumer-advocate allies on the issue say any federal standard should be a floor rather than a ceiling that allows states to craft even tougher regulations. Like-minded senators could throw up significant and perhaps fatal obstacles to the legislation over that issue alone.
The Luetkemeyer draft's language calling for “immediate” consumer notification of breaches is also raising industry concerns. “We want to notify as soon as possible, but the reality is, standing up these operations is hard and we want to make sure we're giving all the facts,” said the retail source. “Being clear on who to notify and what to tell them is important.”
The retail side did agree to what one source called “shaming” language sought by community bankers, namely that after a retailer suffers a breach and issues notification, a bank can issue its own notification to its customers naming the retailer as the source of the breach. “It caused us heartburn but we accepted it,” the retail source said. -- Charlie Mitchell (cmitchell@iwpnews.com)