February 14, 2018
House Financial Services Financial Institutions and Consumer Credit Subcommittee “Examining the Current Data Security And Breach Notification Regulatory Regime”
Key Topics & Takeaways
- Breach Notification: During the hearing, much attention was paid to the types of requirements that should govern consumer notification of data breaches. Members of Congress and witnesses discussed such items as 1) when notification should be required 2) what data needs to be compromised to prompt notification, and 3) what material should be included in company notifications regarding data breaches. The panel generally supported breach notification requirements that were flexible, scalable, and based on a “reasonableness standard” that required firms to notify consumers of breaches expeditiously but not hastily. The panel particularly pushed back on the idea of a mandatory time frame to disclose breaches.
- There was discussion throughout the hearing about the recent Equifax data breach.
- Aaron Cooper, Vice President, Global Policy, BSA – The Software Alliance
- Kim Sponem, Chief Executive Officer & President, Summit Credit Union, on behalf of the Credit Union National Association (CUNA)
- Nathan Taylor, Partner, Morrison & Foerster LLP
- Professor Marc Rotenberg, President, Electronic Privacy Information Center, and Adjunct Professor, Georgetown University Law Center
- Paul Rosenzweig, Senior Fellow, R Street Institute
Subcommittee Chairman Blaine Luetkemeyer (R-Mo.)
In his opening statement, Chairman Luetkemeyer discussed the impact of data breaches on Americans, who face sophisticated threats to their identities from highly organized criminal organizations and nation states. Luetkemeyer noted that companies work hard to prevent breaches, but that recent high-profile breaches (including Equifax) show how difficult building effective data security practices can be. Luetkemeyer also discussed the importance of notification by breached entities to consumers so that consumers can protect their information.
Witness Opening Statements
Aaron Cooper, Vice President, Global Policy, BSA – The Software Alliance
In his testimony, Cooper outlined the increasingly sophisticated threats facing consumers and business today, including from criminals and nation states. Cooper said that organizations that hold sensitive data need high standards for their data storage and management practices. Cooper said that legislation related to data breaches should create a uniform federal standard that minimizes risk, requires reasonable data security practices tailored to business needs, provides for timely notification to consumers, and creates uniformity across the country.
Kim Sponem, Chief Executive Officer & President, Summit Credit Union, on behalf of the Credit Union National Association (CUNA)
In her testimony, Sponem discussed her credit union’s experiences with data breaches, which she said have occurred because of merchants failing to take “necessary steps to protect consumer data.” Sponem said that financial institutions are on the hook for many of the costs stemming from data breaches, and noted that her credit union spent $1 million on fraud detection, fraud remediation, and replacing credit and debit cards. Sponem said that financial institutions have data security and notification requirements, but merchants do not, and that all companies should be subject to national standards for breach notifications. Sponem also called for negligent companies to bear the costs of fraud remediation, as today there is “no incentive” for some companies to protect consumer information.
Nathan Taylor, Partner, Morrison & Foerster LLP
In his testimony, Taylor called on Congress to create a national standard for data breaches and data security and discussed divergences between the various state standards that exist today. Taylor noted that only 15 states have requirements that all businesses protect the data they collect, and that many of these are only a “high-level obligation.” Taylor noted that 35 states do not have generally applicable laws for all companies, and said that companies’ legal obligations to protect customer data should not depend on residency. Taylor noted that 48 states, Washington DC, and several US territories have data breach notification laws, but that these laws are very different and difficult to comply with. Taylor also outlined several principles for a federal data breach law, including that it should cover all businesses, require notices to consumers of data leaks that could do harm, and have both a safe harbor provision and federal preemption of state laws.
Professor Marc Rotenberg, President, Electronic Privacy Information Center, and Adjunct Professor, Georgetown University Law Center
In his testimony, Rotenberg said that data breaches are a relatively new consumer issue, as consumer privacy laws in the past were primarily aimed at protecting consumers from the misuse of their data by the companies that collected it. Rotenberg was also critical of “lax” corporate practices related to data storage that put consumers at risk of identity theft and fraud. Rotenberg also noted that in May, the European Union (EU) is finalizing its General Data Protection Regulation, which will apply to all businesses operating in the EU, and called on US legislators to pass a similar law so the US does not fall behind its trade partners.
Paul Rosenzweig, Senior Fellow, R Street Institute
In his testimony, Rosenzweig talked about how data breaches are a kind of economic externality that resulted from a pricing problem – namely, that private sector actors that lose data do not internalize the cost of that failure. Instead, the costs of data breaches are borne by end-users and consumers, not the breached firm. Rosenzweig also said that any data breach bill should prevent “rent-seeking” by different interests, and not create an inflexible standard, as government is too cumbersome to keep up with developments in cyberspace. Rosenzweig called for a scalable and flexible standard setting approach, avoiding mandating specific actions and heavy civil sanctions. Rosenzweig also said that today, much of the Federal Trade Commission’s (FTC’s) guidance on acceptable cyber practices comes from consent decrees, which collectively articulate “a very indefinite standard” of reasonable behavior that is difficult for companies to comply with.
Question and Answer
During the hearing, much attention was paid to the types of requirements that should govern consumer notification of data breaches. Members of Congress and witnesses discussed such items as 1) when notification should be required 2) what data needs to be compromised to prompt notification, and 3) what material should be included in company notifications regarding data breaches. The panel generally supported breach notification requirements that were flexible, scalable, and based on a “reasonableness standard” that required firms to notify consumers of breaches expeditiously but not hastily. The panel particularly pushed back on the idea of a mandatory time frame to disclose breaches.
Luetkemeyer expressed support for “immediate notification” and said that the public may demand this due to recent, high-profile breaches that damaged public trust in corporate data management. Rotenberg agreed that prompt notification should be required. Rosenzweig (later in the hearing) endorsed a flexible notification requirement, noting that in cases where a breach is ongoing, disclosure could increase the total harm from the breach.
Ranking Member William Lacy Clay (D-Mo.) asked witnesses for their thoughts on a harm threshold that would require breach disclosure. Rotenberg noted that today, it is up to the breached company to determine level of harm, and endorsed a standard where more information is made available. Rotenberg said that any bill that addressed data breaches should use a definition of personal information that included traditional forms of personally identifiable information (PII) as well as de-identified information that can be reconstructed by bad actors, and that this broad definition should form the basis of a harm threshold. Cooper argued that any harm threshold should be based on the impact the breached data could have on consumers.
Rep. Keith Rothfus (R-Pa.) asked the panel for ideas on what information should be included in breach notifications to consumers, and Taylor argued for including descriptions of the compromised data and steps consumers can take to prevent harm should be included in notifications.
Rep. Roger Williams (R-Texas) noted that when breaches become public, breached companies become targets for many other bad actors, and asked the panel if there is a risk that hasty notification could increase harm to the public. Taylor agreed, saying that all breaches are not created equal, and that some breaches will take longer to assess the scope of. Taylor also noted that breached firms must restore and rebuild systems while notifying consumers of breaches.
Rep. Mia Love (R-Utah) asked the panel if Congress should set “general parameters” on the timing requirements for breach notification. Cooper called for a “reasonableness standard” that can account for the complexity and scope of the breach. Taylor argued that firms should be required to meet this reasonableness standard as quickly as possible (though he argued against a hard timeline for disclosure) but cautioned against establishing a set number of days for disclosure. Taylor also pointed out that hasty disclosure could lead to notifying the wrong individuals that their information has been compromised.
Witnesses and Members of Congress grappled with the idea of federal preemption of state laws on data breach notification and data storage requirements generally. Luetkemeyer framed the issue as choosing between two options – either a federal standard that preempts state law, or Congress allows “the hodgepodge [of different state laws] to continue.” Rosenzweig noted that each system has advantages and drawbacks, but that the worst of both worlds would be a federal standard that only partially preempts state laws. Williams asked how a federal standard would compare to state standards, and Taylor argued that federal standards are necessary because PII is vulnerable everywhere and consumers everywhere should be treated equally.
Rep. Maxine Waters (D-Calif.) attended the hearing and took an alternative view of federal preemption. Rotenberg endorsed her view by arguing that it is better not to preempt state laws that provide strong protections to consumers. Rotenberg argued that a weaker national standard will increase financial fraud and identity theft.
Rep. Barry Loudermilk (R-Ga) noted the panel’s support for flexible standards, and asked the panel for their thoughts on how federal legislation could handle different state definitions of what is considered personal data. Cooper argued that Congress should adopt a flexible definition of the term, as this will allow requirements to adjust over time and keep up with changes in the economy.
Rothfus asked the panel for views on which federal agencies should be responsible for enforcing data breach and data security laws. Taylor noted that the FTC has played an active role in this space. Rep. Robert Pittenger (R-N.C.) also asked about enforcement, and Rosenzweig noted that banking entities are regulated by their prudential regulators pursuant to Gramm-Leach-Bliley, while other companies are regulated at the state level and by the FTC. Rosenzweig said the enforcement landscape creates confusion for regulated firms.
Rep. Al Green (D-Texas) asked about penalties for companies that put people’s data at risk. Rosenzweig argued that enforcement actions and administrative sanctions are probably the best options for penalizing companies that abuse a flexible notification standard. Litigation was also discussed as another enforcement tool.
Pittenger asked the panel if law enforcement should share information with the private sector about data breach attacks and other threats. Taylor strongly agreed, arguing that law enforcement information can help companies protect their systems and head off threats.
Rep. Carolyn Maloney (D-N.Y.) asked the panel if third-parties are obligated to inform the companies they work with about breaches they discover. Rotenberg agreed that third parties should have notification obligations, and pointed out that third parties are targets for bad actors.
Impact of Merchant Breaches on Financial Institutions
Rep. Andy Barr (R-Ky.) asked Sponem to describe the costs to financial institutions of breaches at merchants, noting that many community banks in his district have complained about this issue. Sponem said that financial institutions must pay for fraud monitoring and mitigation, provide refunds of stolen money, and create and distribute new credit and debit cards. Sponem repeatedly criticized the merchant community throughout the hearing for taking what she described as insufficient steps to protect customer data, and criticized merchants for not being “forthright” with information about breaches.
For more information on this hearing, please click here.