- CBA on
- CBA Media
CBA, Trades Issue Letter on Data Breaches
July 31, 2018
The Honorable Bob Latta
Subcommittee on Digital Commerce and Consumer Protection
2125 Rayburn House Office Building
Washington, DC 20515
Dear Chairman Latta:
We sincerely appreciate the opportunity to participate in your discussions over the last several months about data breach legislation.
Data security breaches continue to put millions of consumers at risk, and we share your views that protecting the sensitive personal and financial information of consumers is vitally important. Stopping breaches is critical for consumers, and also important to our members who often have the closest relationships with those affected. Data breaches impose significant costs on financial institutions of all sizes because our first priority is to protect consumers and ensure that they have no liability for fraud that typically follows a breach. Our members provide relief to victims of breaches, regardless of where the breach occurs.
In our view, it is critical for your Committee and the Financial Services Committee to collaboratively move forward on legislation that puts in place strong national data security and breach notification requirements and eliminates the current inconsistent patchwork of state law.
We believe that Congress should enact legislation encompassing the following elements:
- A flexible, scalable standard equivalent to what is in the Gramm-Leach-Bliley Act (GLBA) for data protection that factors in (1) the size and complexity of an organization, (2) the cost of available tools to secure data, and (3) the sensitivity of the personal information an organization holds, as well as guarantees that small organizations are not burdened by excessive requirements.
- A notification regime equivalent to what is in the Gramm-Leach-Bliley Act (GLBA) requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm.
- Consistent, exclusive enforcement of the new data security and notification national standard by the Federal Trade Commission (FTC) and state Attorneys General, other than for entities subject to state insurance regulation or who comply with the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996/HITECH Act. For entities under its jurisdiction, the FTC should have the authority to impose penalties for violations of the new law.
- Clear preemption of the existing patchwork of often conflicting and contradictory state laws for all entities that follow this national data security and notification standard.
Any legislation enacted into law must ensure that all entities that handle consumers’ sensitive financial data have in place a robust – yet flexible and scalable – process to protect data, which must be coupled with effective oversight and enforcement procedures to ensure accountability and compliance. This is an important step to limit the onslaught of breaches and reduce risks to consumers and the significant costs imposed on our members from breaches. This standard should apply to all entities that handle sensitive personal and financial data in order to provide meaningful and consistent protection for consumers nationwide.
Our existing payments system serves hundreds of millions of consumers, retailers, financial institutions and the economy well. Protecting this system is a shared responsibility of all parties involved and we must work together and invest the necessary resources to combat never-ending threats to the payments system.
We have enjoyed a constructive dialogue with you and your staff and look forward to working with you, Chairman Walden and Members of your Committee on this important issue.
American Bankers Association
Consumer Bankers Association
Credit Union National Association
Independent Community Bankers of America
National Association of Federally-Insured Credit Unions
cc: The Honorable Greg Walden, Chairman of the House Energy & Commerce Committee