A backroom deal between the financial sector and retail groups could unlock consumer data security legislation after years of stalemate, although significant policy and political obstacles must be cleared before Congress can notch a historic achievement on cybersecurity.
Rep. Blaine Luetkemeyer, R-Mo., chairman of the House Financial Services institutions and consumer credit subcommittee, revealed last week that he is drafting a data security and breach notification bill. Industry sources said the measure is based on a landmark compromise between longtime rivals on the issue, the Financial Services Roundtable and the Retail Industry Leaders Association.
That agreement has been quietly circulated among stakeholders but hasn't been publicly released.
Sources said the language is specifically designed to avoid pitfalls that doomed legislative efforts in the last Congress, when the Financial Services Committee passed a bill supported by the banking industry while the House Energy and Commerce Committee passed one supported by retailers.
This time around, the Financial Services panel now appears determined to move a broadly supported bill, while Energy and Commerce is still undecided. In any case, Energy and Commerce almost certainly will either produce its own bill or demand a referral of any measure passed by Financial Services.
“I don't see Luetkemeyer following the last bill. He wants a bill that can get enacted” and knows that the previous approach won't get him there, said an industry source who supports the FSR-RILA work on the issue, which also involves the 21st Century Privacy Coalition of major telecom companies.
A congressional staffer said the Luetkemeyer legislation will be unveiled “in the near future,” which could mean early next year.
Luetkemeyer declined to discuss specifics of his planned approach, but said he is “working on a bill in conjunction with industry.”
He did say the Equifax breach pointed up the need for timely notice when consumers' information is hacked, and he criticized the patchwork of 48 different state notification requirements that companies must navigate.
The lawmaker stressed the need for harmonization of data security rules through a uniform federal standard, so that “the most cumbersome” state regulations don’t “drive the issue.” That's a point on which congressional Republicans and Democrats are likely to part company.
Luetkemeyer said policymakers also need to take a closer look at who assumes liability in the event of a data breach.
In the Energy and Commerce Committee, digital commerce and consumer protection subcommittee Chairman Bob Latta, R-Ohio, last week said he is still assessing whether current federal consumer data protection and breach notification requirements are sufficient — and awaiting results from the Federal Trade Commission’s Equifax probe — before diving into legislation.
Latta said “human error” seems to be the primary culprit in the Equifax breach, but that he wants to know whether the laws and regulations already on the books “have enough teeth.”
Meanwhile, FSR and RILA each represent larger entities in their respective sectors, and some sources said smaller companies wouldn't enjoy the benefits of their deal.
“I have seen it, but it does not resolve any concerns,” said one source who represents small businesses, and who cited extensive problems with both committees' bills in the last Congress.
Other hurdles for the legislation include determining how the rules would apply to third parties that handle consumer data, how much authority the Federal Trade Commission has to set proactive rules, timing requirements for notifying consumers of a breach and whether security standards should be spelled out in detail.
Throw in the question of pre-empting state standards on notification and data security and it's a complex mix of issues that still must be resolved. But the process is now underway in the House.
Sources said the Senate is likely to hang back and see if the House can produce a compromise bill before fully diving in.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America's Struggle to Secure Cyberspace,” published by Rowman and Littlefield.