A flurry of legislative activity on Capitol Hill hints that Congress may be shaking off its inertia and there may be some long-awaited forward movement on key issues, including national data breach legislation, a threat information-sharing bill and renewal of parts of the Patriot Act.
On Thursday, Sen. Tom Carper, D-Del., and Sen. Roy Blunt, R-Mo., introduced the Data Security Act of 2015, a bill which seeks to create a “clear set of national standards that would help the prevention of and response to data breaches at public and private institutions.”
The proposed law would establish a single set of national standards that would usurp the 49 state and U.S. territory laws that currently exist and create numerous challenges for companies trying to comply with them all.
Pointing out his long commitment “to ensure that we have common sense measures in place to safeguard the transactions we conduct every day in person and online,” Carper in a statement called the legislation a “bipartisan and comprehensive” initiative that would set clear data protection and breach response requirements for organizations handling financial and personal information.
He urged his colleagues in Congress to embrace the bill which is based on the security and response requirements laid out by the Gramm-Leach-Bliley Act of 1999. The Data Security Act of 2015 “builds on existing law to better ensure data security procedures are uniformly applied,” according to a press release.
Though not the first effort to introduce national data breach legislation in this Congress, the Carper-Blunt bill drew the immediate support of industry organizations. Brad Thaler, the vice president of legislative affairs for the National Association of Federal Credit Unions (NAFCU), said in a statement that his organization “welcomes this legislation to tackle the data security issue from a financial institution perspective.” He encouraged the Senate to throw its support behind the legislation, which he said would “make consumers safer and provide regulatory relief to financial institutions.”
The NAFCU pointed to the bill's protection of the “ability of consumers and financial institutions to sue retailers for actual financial damages for negligence in the wake of a data security breach and for punitive damages in the case of a willful violations of the Act.” It also clarifies that financial regulators have authority over financial institutions while the Federal Trade Commission (FTC) will oversee retailers and other companies currently unregulated.
Similarly, the American Bankers Association put its support behind the bill, with ABA President and CEO Frank Keating saying in a statement “this important legislation would apply to all industries that handle sensitive information, and would provide meaningful and consistent protection for consumers nationwide.”
He praised the bill as a “comprehensive approach [that] would better serve consumers by requiring businesses to take whatever steps are necessary to adequately protect all Americans from identity theft and account fraud.”
The ABA's Keating earlier in the week also released a statement in support of a cyber threat information sharing law, noting a pair of bills marked up this week by two separate House committees - the House Homeland Security Committee and the House Intelligence Committee. A similar bill, the Cybersecurity Information Sharing Act (CISA), made it through the Senate Intelligence Committee in March by a vote of 14-1.
Keating noted that an information-sharing bill "will help facilitate increased cyber intelligence information sharing between the private and public sectors, and strikes the appropriate balance between protecting consumer privacy and allowing information sharing on serious threats to our nation's critical infrastructures.”
Likewise, the Financial Services Roundtable (FSR) voiced its support. “Congressional action to better protect consumers from cyberattacks is long overdue,” FSR President and CEO Tim Pawlenty, said in a statement. “We applaud the House for addressing gaps in our nation's cybersecurity laws and urge both chambers of Congress to quickly put a bill on the President's desk.”
Rounding the mid-April legislative activity, The Hill reported that Congress is closer to a bipartisan action that would limit government surveillance while renewing certain portions of the USA Patriot Act, signed into law after the terrorist attacks of Sept. 11, 2001.