Hearing looks at two bills focusing on data security, standards, notifications

Two pieces of legislation on data security and breach notification, one still in draft form, will be examined during a hearing Wednesday by the House subcommittee on financial institutions.

The 2 p.m. hearing on “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime” will also feature testimony from a four-member panel.

The proposed measures at the focus of the hearing are:

  • Promoting Responsible Oversight of Transaction and Examinations of Credit Technology Act of 2017, H.R. 4028, introduced by Rep. Patrick McHenry (R-N.C.). The legislation requires supervision and examination of large consumer reporting agencies regarding their cybersecurity measures. It also amends the Fair Credit Reporting Act (FCRA) in two ways: to allow consumers to request that a consumer reporting agency place a security freeze on their reports, including provisions for fees and exceptions from such fees; and to prohibit the use by consumer reporting agencies of a consumer’s Social Security number in a consumer report or as a method to identify the consumer after Jan. 1, 2020.
  • Data Acquisition and Technology Accountability and Security Act, (no number yet assigned), to be introduced by Reps. Blaine Luetkemeyer (R-Mo.) and Carolyn Maloney (D-N.Y.), would establish national data security and notification standards with a federal enforcement mechanism overseen by the Federal Trade Commission (FTC). According to the discussion draft of the bill, it would “replace the current patchwork of state and federal regulations for data breaches with a national law that provides uniform protections.” The bill would establish a technology-neutral “reasonableness” standard for data security which, the discussion states, “would be flexible and commensurate to the covered entity’s size and complexity, activities, sensitivity of the information it maintains, and the cost of available protections.” Additionally, the draft includes requirements for consumer and law enforcement notifications if there has been a breach of data security that contains personal information.

Witnesses scheduled to testify at the hearing include: Sara Cable, Director, Data Privacy and Security, and Assistant Attorney General, Office of the Attorney General, Commonwealth of Massachusetts; Francis Creighton, President and Chief Executive Officer, Consumer Data Industry Association; John S. Miller, Vice President, Global Policy and Law, Information Technology Industry Council; Jason Kratovil, Vice President, Financial Services Roundtable.

Hearing titled “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime”