Now that everyone agrees that Congress must take action on consumer data-breach legislation, next comes the hard part: Writing a bill that doesn’t fall apart amid partisan disagreements and demands from virtually every industry group and influential state officers, who say they’re being left out of negotiations.
House Financial Services Chairman Jeb Hensarling, R-Texas, and Blaine Luetkemeyer, R-Mo., who is chairman of the financial institutions and consumer credit subcommittee, have taken the lead in trying to show that the Republican congressional majority can produce a bill that replaces 48 different state data-breach reporting requirements with a uniform federal standard.
Just prior to Thanksgiving, Luetkemeyer said he is working with stakeholders and “starting to frame up” what will be in a consumer data bill. “Nothing is definite yet,” he said.
But he appears to be considering a breach-notification proposal drafted by the Financial Services Roundtable, Retail Industry Leaders Association, and telecom-based 21st Century Privacy Coalition as the basis for his bill.
Under that proposal, financial institutions would continue to be covered by existing standards on consumer data security under the Gramm-Leach-Bliley Act, an approach that has sparked opposition from smaller retailers and groups representing hotels, realtors and others.
Further, the FSR-RILA language appears to preserve the authority of state attorneys general to bring civil suits, except in cases involving financial institutions or when the Federal Trade Commission brings an action.
And it would give the FTC enforcement authority over the new law, including over common carriers otherwise regulated by the Federal Communications Commission. Sources have said that will be a flashpoint with many congressional Democrats. It also includes exemptions sought by telecom service providers.
This is all problematic for congressional Democrats, who have long warned against a weaker federal consumer data-breach rule that would preempt strong standards developed in states such as New York, Connecticut, and California.
State attorneys general and groups representing smaller retailers say their concerns have yet to be addressed.
“We haven’t been directly engaged on new bills and haven’t perceived that legislators are seeking our input,” said a senior official in a state attorney general office. “Our view is that AGs play an indispensable part in the data-breach environment.”
This source predicted opposition from a bipartisan group of state attorneys general “to pre-empting AG authority over an issue that we hear about from constituents on a regular basis.”
“I don’t hear much in the current rhetoric that makes me think bills will be much different this year,” said a source who represents smaller retailers. This source pointed to exemptions for the financial services industry and others as deal killers.
“I don’t see a bill getting through the Senate that exempts an entire industry,” the source said.
A bipartisan Senate working group that includes Sens. John Thune, R-S.D., and Mark Warner, D-Va., offers more hope for an agreement on the issue, the source said.
“The bipartisan approach in the Senate has a better chance to produce something that applies to everyone,” the source said. “That creates the best incentive for business to do everything in their control to secure consumer data.”
Sources close to Warner, Thune, and other working group participants said they had no updates just before the holiday.
Recent conversations with senators from both parties also suggested enduring partisan splits over how to address the issue.
Senate Commerce Ranking Member Bill Nelson, D-Fla., said the Republican majority doesn’t feel any pressure to move legislation on the issue, “but we’re going to keep raising sand.”
Sen. John Kennedy, R-La., on the other hand, said he’s “not there yet” on the need for a federal law, saying he’d rather see private-sector solutions.
Luetkemeyer’s panel is expected to hold another consumer data security hearing in December. This issue has come up before, only to fade away as lawmakers grappled with the intricacies of writing a federal law.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
