American banks and retailers are sparring over whether financial firms should follow a new national standard to quickly notify consumers when they’ve experienced a data breach.
Equifax Inc. said last week that it would notify an additional 2.4 million consumers who were hacked during its massive data breach in 2017 -- but a draft of a House bill with bipartisan support would exempt the credit-reporting agency from the new requirements.
The proposal, backed by Representative Blaine Luetkemeyer, a Missouri Republican, and Carolyn Maloney, a New York Democrat, would establish a federal mandate for when and how certain companies, like retailers, tell customers about a data breach. Financial institutions, would be exempt, because they already have to adhere to the 1999 Gramm-Leach-Bliley Act, which establishes privacy protections for consumers, according to Luetkemeyer’s office. Equifax falls under that category because it collects sensitive financial information.
Despite multiple efforts in recent years, no bills have been passed that would establish a national standard for data breach notification. The Luetkemeyer-Maloney proposal is already drawing critics among consumer advocates.
The legislation as currently drafted is “the worst of both worlds,” said Mike Litt, consumer campaign director of the consumer advocacy group U.S. PIRG. “You are creating a national standard that exempts a company like Equifax or at the very least leaves it uncertain what their obligations are, which is disappointing.”
U.S. PIRG along with the Consumer Federation of America have said that any federal legislation should include financial institutions and clear the way for states to pass even tougher notification requirements.
Lawmakers have been pushing for a national standard following high-profile cyberattacks on Equifax, Uber Technologies Inc., and Yahoo! Inc., which compromised the personal information of millions of Americans. House and Senate panels have held hearings in recent months, with another one scheduled for Wednesday by a House Financial Services subcommittee to discuss proposals to reform data security and breach notification laws.
Pressure mounted last week after Equifax said it was belatedly notifying the additional consumers whose identities had been stolen last year because it had been unable to confirm who they were at the time since only partial driver’s license information was taken.
“While I credit Equifax for continuing to examine the scope of its massive data breach that lost sensitive personal and financial information, the company should have acted sooner to mitigate the impact on these additional affected consumers,” Senator John Thune of South Dakota said in a statement. “Equifax needs to put consumers first and shouldn’t be trying to clean up its mess in a piecemeal fashion.”
Now, there’s no federal breach notification standard for non-financial companies. Instead, they follow a patchwork of notification laws in 48 states, which can vary in the amount of time companies have to disclose any breach and who they’re required to notify. Companies may argue they need time to track down the extent of the breach and repair it before disclosing it to consumers to prevent additional hacks.
Luetkemeyer’s bill would require companies to "immediately notify without unreasonable delay" customers when there’s a risk a data breach could expose them to identity theft or fraud. The proposal, which would preempt state laws, also requires businesses to inform the Secret Service or the Federal Bureau of Investigation if the breach affects more than 5,000 consumers.
“For each state with robust consumer protection laws on the books, there are many others with extremely weak protections," Luetkemeyer said in a statement. "Under my draft legislation, a breached entity is required to notify consumers immediately if their personal information has been accessed and law enforcement has approved. This standard is not required under current law, but the reason for immediate notification is simple: consumer protection.”
‘Swiss Cheese Notification’
Luetkemeyer’s proposal also requires companies to take preventative measures to protect the security and confidentiality of information that are appropriate given the size of the business and the sensitivity of its data. For instance, a pizza parlor wouldn’t have to take the same precautions as a major mobile app storing sensitive payment information.
Lawmakers have tried to pass national data breach notification laws for years. After news of a cybersecurity attack at Target Corp. broke in 2013, lawmakers over the next few years offered an array of bills or amendments addressing data breaches, but not one passed.
David French, the senior vice president for government relations at the National Retail Federation, said the group supports a national standard, but thinks financial firms should be included since the Gramm-Leach-Bliley Act predates modern cybersecurity vulnerabilities.
"If you do a Swiss cheese notification structure, where only some businesses are required to notify and not all, then the consumer doesn’t really know who is putting their data at risk," French said.
The National Retail Federation is backing an advertising campaign over radio and on digital platforms in the Washington area to push for all industries to be included in a new standard, according to French.
Lobbying groups for banks and credit unions, including the American Bankers Association and Financial Services Roundtable, argue that they are already required to follow rigorous data protection and breach notification practices. Advocates point to guidance from the Federal Deposit Insurance Corp., which instructs financial institutions to notify customers when their personal information has been illegitimately obtained and could be misused. "Banks are required to maintain highly secure systems, while other sectors have no federal standards," Jess Sharp, senior vice president for the American Bankers Association, said in a statement. "It’s like delivering water through a pipe but saying it’s acceptable for some sections to leak. Those weak spots are where consumers get hurt.”