Bills on data security and breach notification – one still in draft form – drew mixed reviews from witnesses Wednesday before a House subcommittee, with both industry groups and a representative of a state government calling for changes.
The hearing before the House financial institutions subcommittee looked at the Promoting Responsible Oversight of Transaction and Examinations of Credit Technology Act of 2017, H.R. 4028 (the PROTECT Act), introduced by Rep. Patrick McHenry (R-N.C.), which requires supervision and examination of large consumer reporting agencies regarding their cybersecurity measures.
The hearing also considered the Data Acquisition and Technology Accountability and Security Act, (no number yet assigned), to be introduced by Reps. Blaine Luetkemeyer (R-Mo.) and Carolyn Maloney (D-N.Y.), which would establish national data security and notification standards with a federal enforcement mechanism overseen by the Federal Trade Commission (FTC).
Witnesses from three industry groups largely voiced support for both bills, but they sought some changes. For the PROTECT Act, at least two of the witnesses urged removal or revision of a provision that would prohibit use by consumer reporting agencies (CRAs, such as the nationwide companies Experian, Equifax or TransUnion) of a consumer’s Social Security number (SSN) in a consumer report or as a method to identify the consumer after Jan. 1, 2020.
Francis Creighton, President & CEO of the Consumer Data Industry Association (CDIA), a trade group for the three national credit reporting agencies (among others), said in his statement that eliminating use of SSNs is not a feasible proposal. “CRAs need SSNs because we have obligations under the FCRA (Fair Credit Reporting Act) and other statutes to ensure maximum possible accuracy of the data we maintain,” Creighton said. “The use of SSNs is absolutely critical to meeting this legal obligation.”
Jason Kratovil of the Financial Services Roundtable – a trade group representing the largest financial services firms in the nation – echoed Creighton’s comments in his written statement, calling an outright prohibition on SSN use “not advisable as a matter of legislative policy.”
The other bill was supported largely by the industry witnesses, including John Miller, vice president of global policy and law for the Information Technology Industry Council (ITI, a trade group advocating for the “tech sector,” including hardware, software and internet companies). Miller said the breach notification section of the proposal offers “much-needed regulatory clarity and certainty,” which he called critical for businesses devoting resources to data security and legal compliance.
However, on the safeguards section of the bill, Miller said its potential effectiveness is ultimately undermined as it prescribes what security should look like in a rigid and inflexible manner. That, he said, ultimately provides regulators, rather than organizations, “with the discretion to determine what security measures are reasonable.”
But Massachusetts Assistant Attorney General and Director of Data Privacy & Security Consumer Protection Division Sara Cable panned the proposal outright in prepared remarks.
She said that “as the “cop on the beat” working on the front lines of the data security problem, her office believes that the bill, taken as a whole, would “leave consumers in a worse position than the status quo.”
“This Bill allows entities to push the cost of the data security crisis onto consumers without providing any meaningful remedy, strips the state Attorneys General of the authority they are presently and actively using to protect their consumers from breaches, and hamstrings efforts of the States to enact laws in response to future risks in an era of increasing and rapidly evolving technology,” she told the subcommittee.