A scaled-down breach-notification bill applying only to the financial industry could be marked up “imminently” in the House Financial Services Committee, a panel GOP source said, while stressing that the effort to move a narrow, sector-specific measure shouldn't be interpreted as a surrender on eventually passing comprehensive data security and consumer notice legislation.
However, introduction of the bill last week quickly raised concerns from major players in the retail sector, which fears the narrow approach undermines efforts to pass sweeping consumer data legislation.
Further, a state official prominent on consumer data-breach issues said the new bill has the same federal pre-emption problems as the broader legislation. And it's unclear whether this narrow approach will attract key bipartisan support within the Financial Services panel.
“Everyone's preference is for a larger comprehensive package,” said the Financial Services source, who added that the panel expects to be the only one to get jurisdiction on this “smaller bill,” introduced Friday -- the first anniversary of the revelation of the Equifax hack -- by Financial Services financial institutions and consumer credit subcommittee Chairman Blaine Luetkemeyer (R-MO).
Luetkemeyer earlier this year drafted legislation based on a compromise among financial, retail and telecom groups, which has been the subject of months of discussions involving industry groups, state organizations, privacy advocates and other House committees including the Energy and Commerce panel, which would share jurisdiction over that measure. Amid ongoing talks, that bill has yet to move to the markup stage.
“Our hope is to build momentum,” the Luetkemeyer source added. “We continue to work on the broader package, we're not walking away. This [new narrow bill] fixes part of the problem and we hope it raises the bar” across sectors.
Rep. Carolyn Maloney (D-NY), a senior member of the Financial Services panel and cosponsor of the broader legislation with Luetkemeyer, did not sign on as cosponsor of the narrow bill. Maloney's office didn't respond to a request for comment.
The Luetkemeyer source said the narrow bill “would codify existing guidance that most financial institutions adhere to today. We're enhancing the Gramm-Leach-Bliley Act by adding a notification requirement. The goal is to require everyone under GLBA to have a notification standard in place.”
Most federal financial regulatory agencies have already promulgated breach-notice requirements for entities under their jurisdiction, the source said, but a few have yet to do so.
The new Luetkemeyer bill also covers insurers, which the source called “unique” in their regulatory treatment.
“A lot of the language in the bill is to ensure they have safeguards and notification standards,” according to the source. The insurance industry is covered by state regulation, “but not every state requires it of insurers,” said the source.
In exchange for the new federal requirements, the source said, the insurers would receive pre-emption of a patchwork of state laws.
At least one prominent state official on data-breach issues expressed concerns over the measure.
Connecticut Attorney General George Jepsen “is not opposed to a federal standard for reporting data breaches, though he believes that any federal standard should have teeth and be meaningful, and should preserve the authority of state attorneys general to investigate data breaches,” a spokeswoman said. “He has consistently opposed federal legislation that would pre-empt state attorneys general, as this proposal appears to do."
Broad versus narrow approaches
Austen Jensen, vice president for government affairs at the Retail Industry Leaders Association, urged Luetkemeyer to remain focused on a broader package.
“As the Financial Services Committee moves forward with this legislation, RILA encourages you to continue to work with the other Committees with primary jurisdiction over this issue and attach the key components from this updated draft to a comprehensive bill that focuses on all the necessary pillars of breach legislation,” Jensen said in a statement. “RILA will oppose any effort to pass an industry specific bill through the House of Representatives or attach it to any other piece of legislation moving through Congress."
But former Sen. Saxby Chambliss (R-GA), who worked on multiple cyber issues as top Republican on the Intelligence Committee, said the latest Luetkemeyer bill gets at least one thing right -- because, he said, the smartest approach right now is to “limit the legislation to breach notification” rather than address security standards as well.
“I hope Mr. Luetkemeyer has it right, that both sides can get together and agree on what should be a no-brainer,” Chambliss told Inside Cybersecurity, speaking of breach-notice in general. He noted his discussions on the topic with Senate Commerce Chairman John Thune (R-SD) and Senate Judiciary leaders.
“But the problem is, whenever you bring [breach notification] up as an issue, it becomes a quagmire of other issues,” including security and privacy-related policy questions, Chambliss said.
“Just deal with notice -- breach notification needs to be standardized and there needs to be pre-emption of state laws,” Chambliss, now of the law firm DLA Piper, said. “You can't do a bill now on security that deals with where that issue will be in six-eight months, it's just too fast moving,” Chambliss said.
As for passing even a narrow bill, Chambliss pointed to the partisan rancor on Capitol Hill and said “zero is going to happen before the elections other than keeping the government open.”
“But if you can have discussion between committees, maybe this [narrow bill] can galvanize action in the lame-duck,” Chambliss said. “But the Senate has gotten a lot like the House, which is unfortunate. It's hard to see them focusing on an issue like this” in 2018. -- Charlie Mitchell (firstname.lastname@example.org)