House Financial Services Committee Issues Report on Consumer Information Notification Requirement Act
Excerpts of the report follow:
Purpose and Summary
Introduced by Representative
1Agencies includes the OCC,
2The Safeguards Rule requires financial institutions under
3See
Background and Need for Legislation
In response to competitive pressure in the financial services marketplace, as well as increased demands for convenience from consumers, financial institutions are becoming increasingly reliant on electronic storage and transmission of personal financial data. As the amount of electronically accessible data increases, so does the amount of sensitive data that is vulnerable to the risk of theft. This increased exposure to risk has also created an expectation from consumers that institutions ensure the security of personal and financial information data.
Over the last several years, numerous
4Congressional
5https://www.equifaxsecurity2017.com/.
Data breaches affect consumers in two ways. First, data breaches subject consumers to uncertainty and confusion. Consumers may lose confidence in the payments system when they hear about data breaches, even if they are not directly affected. Second, data breaches and the improper accessing of Personal Identifiable Information (PII) increase consumers' vulnerability to identity theft, leading to further inconvenience, potential legal issues and possible financial loss.
Protecting information and systems from major cyber threats, such as cyber theft, cyber terrorism, cyber warfare, and cyber espionage, must be a priority for
STATE LAW GOVERNING DATA SECURITY AND DATA BREACH NOTIFICATION
Currently, only a few specific industries of the private- sector economy are required by federal law to notify consumers when a data breach may have compromised consumers' PII. These include financial institutions covered by the Gramm-Leach Bliley Act (GLBA).
Forty-eight states, the
6http://www.ncsl.org/research/telecommunications-and-information- technology/security-breach-notification-laws.aspx.
Some state laws impose general data security standards as well. Seventeen states and territories permit a private right of action pertaining to data breaches or data breach notifications.
And yet, the Equifax breach has reaffirmed that data security is a national problem that requires a national solution. The patchwork of state laws that comprise the legal and regulatory data security and breach notification regime have caused both confusion and a lack of accountability as cyber criminals continue to steal valuable PII from consumers.
Data Security Standards for Financial Institutions
Despite continued data breaches, financial institutions and retailers argue that further data security legislation and regulation may be unnecessary or counterproductive. Financial institutions point out that, unlike most other sectors of the economy, they are already subject to laws and regulations that require them to safeguard confidential customer data. They also point out that they have an incentive to safeguard customer data because a data breach will damage their relationships with their customers and tarnish their brands. For these reasons, financial institutions monitor and update their security controls to reduce fraud and guard against security breaches.
As new threats develop, so to must the controls that mitigate the risks. As financial institutions are developing or reviewing their information security protocols can draw upon a variety of sources, including federal laws and regulations and numerous security-related guidance, in addition to several other entities that provide voluntary standards or information- gathering roles.
Financial institutions are required to institute sufficient risk management procedures to ensure their safety and soundness, and to ensure compliance with federal and state laws and regulations. The
7https://www.ffiec.gov/about.htm.
In 2005 the
8https://www.gpo.gov/fdsys/pkg/FR-2005-03-29/pdf/05-5980.pdf.
"every financial institution should develop and implement a response program designed to address incidents of unauthorized access to customer information maintained by the institution or its service provider. The final Guidance provides each financial institution with greater flexibility to design a risk-based response program tailored to the size, complexity and nature of its operations."9
9https://www.gpo.gov/fdsys/pkg/FR-2005-03-29/pdf/05-5980.pdf.
To ensure financial institutions adhere to these principles the 2005 Interagency Guidance requires the following of breached entities:
Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused,
Notifying its primary federal regulator "as soon as possible" when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information,
Consistent with the Agencies' Suspicious Activity Report ("SAR") regulations, notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing,
Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information,
Notifying customers when warranted and "as soon as possible", with a delay only at the directive of law enforcement agency for investigation purposes.10
10https://www.fdic.gov/news/news/financial/2005/fil2705a.pdf.
A flexible and scalable standard guarantees that a financial institution can both notify its customers and undertake corrective action from the breached entity in the necessary and appropriate timeframes. A scalable standard does not hamper law enforcement during the course of their investigation.
Additionally the
11http://ithandbook.ffiec.gov/it-booklets/information- security.aspx.
Title V of GLBA requires that financial institutions provide customers with notice of their privacy policies and safeguard the security and confidentiality of customer information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. Section 4(k) of the Bank Holding Company Act of 1956 and accompanying regulations define financial institutions as businesses that are engaged in certain "financial activities." Such activities include traditional banking, lending, and insurance functions, along with other financial activities.
GLBA requires regulators of "financial institutions" to develop and impose upon financial institutions standards for administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. GLBA delegates enforcement and rulemaking authority to the federal banking and securities regulators and the state insurance regulators. For "financial institutions" not regulated by one of these functional regulators, the
The federal banking agencies monitor banking companies for safety and soundness and compliance with laws and regulations by on-site examinations--at least annually and every 18 months for some community banks. Included in the examination is a comprehensive review of information technology and security. The GLBA safeguards standards are integrated into the overall IT examination. In addition, since 2001, the banking agencies have issued a series of guidelines, which have the force of law, detailing how the GLBA safeguards requirements are to be put into effect. The guidelines require that financial institutions develop security programs that are tailored to the complexity of their operations. They must include board of directors' involvement; risk assessment; oversight of service providers; personnel training; systems monitoring; breach response procedures; and mitigation of incidents. Under these guidelines, when a security breach is detected, the financial institution must notify law enforcement and its supervisory agency or agencies as soon as possible; customers must be notified if a reasonable investigation shows that misuse of sensitive customer information has occurred or is reasonably possible. Measures to control the incident and mitigate its consequences must be implemented.
The security guidelines recommend implementation of a risk- based response program, including customer notification procedures, to address unauthorized access to or use of customer information maintained by a financial institution or its service provider that could result in substantial harm or inconvenience to any customer, and require disclosure of a data security breach if the covered entity concludes that "misuse of its information about a customer has occurred or is reasonably possible." Pursuant to the guidance, substantial harm or inconvenience is most likely to result from improper access to "sensitive customer information."
Financial institutions must also comply with state data security breach notification laws. Retailers and merchants are not subject to GLBA or any comparable federal law. Forty-seven states, the
12U.S.
Hearings
The Committee held hearings examining matters relating to H.R. 6743 on
Committee Consideration
Committee Votes
Clause 3(b) of rule XIII of the Rules of the
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Committee Oversight Findings
Pursuant to clause 3(c)(1) of rule XIII of the Rules of the
Performance Goals and Objectives
Pursuant to clause 3(c)(4) of rule XIII of the Rules of the
In compliance with clause 3(c)(2) of rule XIII of the Rules of the
Congressional Budget Office Estimates
Pursuant to clause 3(c)(3) of rule XIII of the Rules of the
U.S.
Hon.
Dear Mr. Chairman: The
If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is
Sincerely,
Enclosure.
H.R. 6743--Consumer Information Notification Requirement Act
H.R. 6743 would require several federal agencies to establish standards regarding how financial institutions provide notifications of a data breach to customers. Under the bill, State insurance authorities would be required to enforce those standards.
Under the bill, the
Any spending by the
Administrative costs incurred by the
Because enacting H.R. 6743 could affect direct spending and revenues, pay-as-you-go procedures apply. However, the net effect on direct spending and revenues would not be significant.
CBO estimates that enacting H.R. 6743 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029.
H.R. 6743 would explicitly preempt state and local laws that require insurance providers as well as financial institutions and their affiliates to notify customers in the event of a security breach. All 50 states, the
The bill also would require state insurance authorities to enforce new federal standards that would direct insurance agencies and brokerages to notify customers of a data breach. That requirement would be a mandate as defined in UMRA.
H.R. 6743 would impose private-sector mandates by requiring financial institutions and their affiliates to comply with new standards for data security and breach notifications as established by the federal government. Further, if federal regulatory agencies increase fees to offset the costs associated with implementing the bill, H.R. 6743 would increase the cost of an existing mandate on private entities required to pay those fees.
Because the various federal regulatory agencies have yet to establish the required data security and breach standards, CBO cannot determine if the cost to comply with the bill's requirements would exceed the threshold for intergovernmental and private-sector mandates established in UMRA (
The CBO staff contacts for this estimate are
Federal Mandates Statement
This information is provided in accordance with section 423 of the Unfunded Mandates Reform Act of 1995.
The Committee has determined that the bill does not contain Federal mandates on the private sector. The Committee has determined that the bill does not impose a Federal intergovernmental mandate on State, local, or tribal governments.
Advisory Committee Statement
No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation.
Applicability to Legislative Branch
The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of the section 102(b)(3) of the Congressional Accountability Act.
Earmark Identification
With respect to clause 9 of rule XXI of the Rules of the
Duplication of Federal Programs
In compliance with clause 3(c)(5) of rule XIII of the Rules of the
Disclosure of Directed Rulemaking
Pursuant to section 3(i) of
Section-by-Section Analysis of the Legislation
Section 1. Short title
This section cites H.R. 6743 as the "Consumer Information Notification Requirement Act."
Section 2. Breach notification standards
This section amends Section 501 of the Gramm-Leach-Bliley Act in order to help establish and federal standard on data security breach notifications.
Section 3. Preemption with respect to financial institution safeguards
This section amends Section 507 of the Gramm-Leach-Bliley Act to insert a preemptive requirement over state law.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of the
GRAMM-LEACH-BLILEY ACT
The full text of the report is found at: https://www.congress.gov/congressional-report/115th-congress/house-report/1097/1?s=1&r=4
TARGETED NEWS SERVICE,
Soon-To-Be Released Study Show The Rich Getting Richer
House Financial Services Committee Issues Report on Reforming Disaster Recovery Act
Advisor News
- Living longer, retiring poorer: Why fragmented systems are failing Americans
- Women say their advisors respect them, but talk down to them
- How PEPs compare with traditional 401(k)s
- Allianz studies why 42% of Americans retire sooner than expected
- Why advisors should be talking about life settlements
More Advisor NewsAnnuity News
- Reframing retirement income for greater certainty
- Jackson Introduces Dow Jones Industrial Average Index Option, Flexible Premiums, Six-Year Rate Guarantee in Latest Registered Index-Linked Annuity Launch
- Senior Market Sales® Fortifies Annuity Reach With Acquisition of Retirement Planning Firm Stratton & Company
- NAIC regulators continue pushing for annuity illustration updates
- Wink: Flat first-quarter annuity sales fall just short of $100B
More Annuity NewsHealth/Employee Benefits News
- Medicare rates will rise for some in State Health Plan
- CMS: No plans to eliminate Medicare brokers
- Health insurance costs could jump by up to 18% for 220,000 Connecticut residents
- Medicare rates will rise for some in State Health Plan
- Differences between supplements and Advantage plans
More Health/Employee Benefits NewsLife Insurance News
- KBRA Releases Research – Private Credit: Much Ado About Nothing – Perspectives on Columbia Business School Paper About Private Ratings
- VUL sales skyrocket in Q1, signaling major market shift
- KBRA Releases Research – Private Credit: A More Balanced Review of the NAIC PLR Review Process for Insurance Balance Sheets
- Jackson Introduces Dow Jones Industrial Average Index Option, Flexible Premiums, Six-Year Rate Guarantee in Latest Registered Index-Linked Annuity Launch
- State locates $107M in missing insurance funds
More Life Insurance News