Last week, two top Democrats, Senators Elizabeth Warren, (D-Mass.) and Mark Warner (D-Va.), called for stepped-up governmental oversight of credit reporting agencies, along with stiff penalties and fines for those agencies that fail to protect consumers’ personal information.
But banks, insurance companies and other financial services firms that are charged with safeguarding consumer personal financial data have a very different vision for consumer cyber safety reform.
A group of 22 financial institution trade groups—including the American Bankers Association, the Credit Union National Association and the Independent Community Bankers of America—sent a letter to lawmakers pressing its roadmap for reform. The group is asking for few of the consumer protections Warner stipulated in her bill, but instead left enforcement to the Federal Trade Commission (FTC).
In a pointed missive to House Energy and Commerce Committee Chairman Rep. Greg Walden, R-Ore., and Rep. Bob Latta, R-Ohio, the chairman of the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, the group of financial services trade groups says it takes protecting customers’ personal information “very seriously.”
“That is why we support federal legislation to protect personal information and, in the event of a data breach that could result in identity theft or other financial harm, ensure consumers are notified in a timely manner.”
The letter asks for four reforms that the group said it views as necessary in data security legislation:
A “scalable standard for data protection” for companies that factors in the size and complexity of an organization, the cost of available tools to secure data and the sensitivity of the personal information an organization holds. The group also wants a guarantee that small organizations are not hit with “excessive requirements.”
A requirement of timely notice to impacted consumers, law enforcement and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm.
Exclusive FTC and state attorney general enforcement of the new national standard, except for companies subject to state insurance regulation or other regulator oversight. The group wants the FTC alone to have the authority to impose penalties for violations of the new law.
The preemption of what it terms “the existing patchwork of conflicting state laws.”
“Data security impacts every sector of the economy,” the group concluded. “We therefore look forward to working with you and your colleagues to ensure that all sectors employ sound data security and alert consumers when a breach may result in identity theft or other financial harm.”
Opponents including consumer advocates, argue, however, that these reforms don’t go far enough to protect consumers and would actually sap existing data protection laws.