WASHINGTON - The House got what it had been waiting on last week regarding data security legislation: a companion bill in the Senate.
Senate Banking Committee Members Bob Bennett (R-Utah) and Tom Carper (D-Del.) introduced the Data Security Act of 2006 last week. NAFCU was particularly pleased that the Senate bill provides a carve-out for financial institutions in compliance with Title V of the Gramm-Leach-Bliley Act; other entities will fall under the jurisdiction of the Federal Trade Commission. "This is something we whole-heartedly support," NAFCU Associate Director of Legislative Affairs Debbie Kwon-Moore said. She described the Senate bill as taking a "common-sense approach to addressing data security."
Kwon-Moore added, "The Data Security Act of 2006 recognizes the hard work credit unions have done to maintain the utmost security of the personal, sensitive data of their members."
CUNA, as well as NAFCU, is looking for some liability on behalf of the retailers whose systems have been breached, like B.J.'s Wholesale Club, as has been reported in the mainstream media. However, the retailers have lobbied hard and no type of reimbursement provision for financial institutions is in any of the legislation.
"CUNA will continue efforts to work with both Senate and House key committees and leadership to include language in any compromise data security bill that would require credit unions and financial institutions to be reimbursed by the breaching entity for costs associated with notifying consumers as well as the re-issuance of credit cards," CUNA Vice President of Communications and Media Outreach Pat Keefe commented. Keefe added that CUNA will also continue efforts to strengthen language enforcing current Visa rules that prohibit merchants from storing personal identifying information.
CUNA Vice President for Legislative Affairs Dean Sagar, who worked on the House Financial Services Committee language while serving on the staff there, said that CUNA is continuing to work to change the notification provisions in the bill. As it stands, the Senate bill could easily be interpreted, he said, to mean that any instrument that had been breached that could be canceled-such as a credit card-would not necessarily prompt notification. Sagar said his experience in drafting the House bill led him to believe that the bankers pushed for the current language in the Senate bill because they wanted consumer notification as late as possible. Earlier notification is better for credit unions, he asserted, because it is better for their members and credit unions cannot just write off these losses on their taxes.
Sagar explained that this debate over timing of the notifications was hashed out before the language was introduced, but in the Senate, he said, "It's introduced, now we can have the debate."
The Bennett-Carper bill creates a uniform national standard for security breach notification, establishes a risk-based trigger for consumer notification, and ensures state and federal functional regulators have enforcement authority. Hearings are expected in the Senate Banking Committee.
The House has been wrangling for some time over what bill in what form would make the final cut. The leadership is in talks with the Financial Services Committee and Energy & Commerce Committee to hammer out a deal between the bills.
Data security legislation became fast-tracked when several major personal data security breaches made news over the last couple years. NAFCU has made some news itself by working with the banking trade associations on data security where the federal credit union trade association said the groups share some common ground. -email@example.com