Financial Sector Pushes Hard for Data Security Bills; Retailers Want PCI Probe
Members of the financial services industry have launched a media campaign in support of bills they say would provide better protection of consumer data, bring retailer accountability for data breaches in line with the financial sector and supersede myriad state laws pertaining to breach-notification regulations.
The Data Security Act (H.R. 2205) was introduced in May 2015 by Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), and a companion bill (S. 961), was introduced by Sen. Thomas R. Carper (D-Del.). The bills extend data protection and consumer notice standards under the Gramm-Leach-Bliley Act (GLBA) beyond financial institutions to all businesses handling personal and financial data, among other stipulations.
A contingent of financial services providers recently have been ramping up their support of the bills by purchasing online ads and full-page newspaper ads aimed at federal legislators.
“All entities that handle sensitive financial data should be required to protect that data,” Jason Kratovil, vice president of government affairs for payments at Financial Services Roundtable (FSR), said last week. FSR is an advocacy organization for the U.S. financial services industry. “It’s long overdue for Congress to pass legislation ensuring that everyone has a similar mandate to keep customer data safe,” he added.
In addition to the FSR, the consortium includes the American Bankers Association, the Consumer Bankers Association, the Credit Union National Association, the Independent Community Bankers of America, National Association of Federal Credit Unions and The Clearing House.
The group also supports a Website, http://www.stopthedatabreaches.org, emphasizing data security and urging Congress to pass the Data Security Act. The site lists the total of consumer records breached last year as 169 million.
“Credit unions and other financial institutions already protect consumers’ personal data under the provisions of the 1999 Gramm-Leach-Bliley Act,” Carrie Hunt, NAFCU executive vice president of government affairs and general counsel, said in a statement last week. “There is no comprehensive regulatory structure similar to GLBA for other entities, such as retailers, that handle sensitive personal and financial data.”
So far in 2016, the business sector, which includes retailers, accounted for 48.4 percent of data breaches and 19.9 percent of exposed records, according to NAFCU citing Identity Theft Resource Center statistics. The financial sector accounted for 2.5 percent and no exposed records.
Shortly after the bill was introduced last year, the National Retail Federation (NRF) bluntly said that everything about the legislation is wrong. “Banks have tough rules because a criminal hack could drain customer accounts in an instant and threaten the safety and soundness of the entire financial system,” but hacks to small businesses don’t pose the same risk, said David French, NRF senior vice president, government relations.
In other data security news, the NRF is asking the FTC to investigate the Payment Card Industry Security Standards Council, which sets data security standards, saying the group’s practices raise antitrust concerns. The FTC already is investigating how third-party companies conduct PCI audits.
“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” wrote NRF Senior Vice President and General Counsel Mallory Duncan in a letter to FTC Chairwoman Edith Ramirez and other commission members.