CBA Letter re HFSC FI Hearing on Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime

 

March 6, 2018

 

 

The Honorable Blaine Luetkemeyer

Chairman                                                        

Committee on Financial Services

Subcommittee on Financial Institutions and Consumer Credit

U.S. House of Representatives

2230 Rayburn House Office Building

Washington, D.C. 20515       

 

The Honorable Lacy Clay

Ranking Member

Committee on Financial Services

Subcommittee on Financial Institutions and Consumer Credit

U.S. House of Representatives

2428 Rayburn House Office Building

Washington, D.C. 20515       

 

           

 Dear Chairman Luetkemeyer and Ranking Member Clay:

 

The Consumer Bankers Association (CBA) writes to comment on the March 7th, 2018 Subcommittee hearing, entitled “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime.”  In particular, CBA supports the “Data Acquisition and Technology Accountability and Security Act” to establish a national data security and breach notification standard and we look forward to making improvements to the bill throughout the legislative process.  CBA is the voice of the retail banking industry whose products and services provide access to credit to millions of consumers and small businesses.  Our members operate in all 50 states, serve more than 150 million Americans and collectively hold two-thirds of the country’s total depository assets. 

 

The Data Acquisition and Technology Accountability and Security Act

CBA supports the Data Acquisition and Technology Accountability and Security Act discussion draft to help protect consumers’ sensitive information throughout the payment system by establishing a national data security and breach notification standard.  Importantly, the discussion draft recognizes banks and credit unions already adhere to strong security controls and notification requirements and are supervised by their prudential regulators for compliance with such standards.  This needed legislative proposal applies a similar, scalable standard to retailers and other sectors to better protect consumers’ sensitive information and require timely consumer notification in the event of a breach.  The discussion draft also provides preemption from the existing patchwork of state laws and allows for the enforcement of the new standard by the Federal Trade Commission and states’ Attorneys General.  This discussion draft is an important step forward and CBA commits to working with the sponsors and other stakeholders to enact legislation to help safeguard consumers from future breaches.

 

The Promoting Responsible Oversight of Transaction and Examinations of Credit Technology Act of 2017

The Promoting Responsible Oversight of Transaction and Examinations of Credit Technology Act of 2017 (H.R. 4028) brings needed attention to cyber threats and the seriousness of having in place effective data security protocols.  Today, financial institutions are subject to data security and notification requirements under the Gramm-Leach-Bliley Act.  While banks and credit unions are subject to supervision and enforcement by their prudential regulators for compliance with these safeguards, non-depository financial institutions are only subject to enforcement by the Federal Trade Commission.  H.R. 4028 recognizes this void in the current compliance regime and places nationwide credit reporting agencies under the supervision of a prudential regulator as determined by the Federal Financial Institutions Examination Council.  

 

CBA recognizes many consumers are seeking ways to ensure the security of their personal data and more closely monitor their credit reports.  Our members are committed to making sure customer data is safe and secure and spend considerable resources on fraud monitoring and resolution. 

 

While CBA members understand the intent of H.R. 4028 to provide quick and affordable access to credit freezes in light of recent breaches, there could be potential unintended consequences to consumers’ on-demand access to credit.  Today, consumers expect real-time credit approvals, and any delays can be confusing and frustrating.  While credit freezes may be the appropriate choice for some consumers, others may prefer options that enable on-demand access to credit.  Given the potential negative implications of this section on the availability and flow of credit, we encourage further debate on this important topic prior to passing legislation changing the current credit reporting structure. 

 

In addition, this legislation would prohibit the use of a Social Security Number (SSN) as consumer report identifier past January 1, 2020.  More can and should be done to protect consumers’ identities, but a deviation from the widespread use of the SSN as the primary identifier to a new and untested alternative could cause unintended harm and impede the flow of credit to consumers.  CBA looks forward to working with Congress, regulatory agencies, and other participants in the credit markets to discuss and study alternatives that would help protect consumers from criminals seeking to steal their identities.

 

Thank you for the opportunity to comment on these legislative proposals.  We look forward to working with the Subcommittee to ensure the security of consumers’ sensitive information while providing robust and healthy credit markets.

 

Sincerely,

 

Richard Hunt

President and CEO

Consumer Bankers Association