Last week, two top Democrats, Sens. Mark Warner, D-Virginia, and Elizabeth Warren, D-Mass., called for increased governmental oversight over credit reporting agencies and stiff penalties for those agencies should they fail to protect consumers’ personal information.
But credit reporting agencies are far from the only companies that house consumers’ data.
Banks, credit unions, insurance companies, title insurers, and other companies are also tasked with safeguarding the information they possess.
And now, the trade groups that represent many of those companies are also asking for the government to enact new data security rules.
In a letter sent earlier this month to House Energy and Commerce Committee Chairman Rep. Greg Walden, R-Oregon, and Rep. Bob Latta, R-Ohio, the chairman of the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, a collection of 22 trade groups say that they support new data security legislation because their member companies take data security “very seriously.”
The groups also lay out their vision for how that data security legislation should look.
“The undersigned organizations, representing companies across the American economy, take the stewardship and protection of customers’ personal information very seriously,” the groups write. “That is why we support federal legislation to protect personal information and, in the event of a data breach that could result in identity theft or other financial harm, ensure consumers are notified in a timely manner.”
The letter is signed by the American Bankers Association, the American Land Title Association, the Credit Union National Association, the Independent Community Bankers of America, the National Association of Federally-Insured Credit Unions, and more.
The groups identify four specific elements that they view as necessary in data security legislation, including:
- A flexible, scalable standard for data protection that factors in (1) the size and complexity of an organization, (2) the cost of available tools to secure data, and (3) the sensitivity of the personal information an organization holds, as well as guarantees that small organizations are not burdened by excessive requirements
- A notification regime requiring timely notice to impacted consumers, law enforcement, and applicable regulators when there is a reasonable risk that a breach of unencrypted personal information exposes consumers to identity theft or other financial harm
- Consistent, exclusive enforcement of the new national standard by the Federal Trade Commission and state attorneys general, other than for entities subject to state insurance regulation or who comply with the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996/HITECH Act. For entities under its jurisdiction, the FTC should have the authority to impose penalties for violations of the new law
- Clear preemption of the existing patchwork of often conflicting and contradictory state laws
“Data security impacts every sector of the economy,” the groups conclude. “We therefore look forward to working with you and your colleagues to ensure that all sectors employ sound data security and alert consumers when a breach may result in identity theft or other financial harm.”
The letter is signed by the following organizations:
ACT | The App Association
American Bankers Association
American Insurance Association
American Land Title Association
BSA | The Software Alliance
Consumer Bankers Association
Credit Union National Association
CTIA
Electronic Transactions Association
Financial Services Roundtable
Independent Community Bankers of America
Independent Insurance Agents and Brokers of America
Internet Commerce Coalition
National Association of Federally-Insured Credit Unions
National Association of Mutual Insurance Companies
National Business Coalition on E-Commerce & Privacy
Property Casualty Insurers Association of America
Reinsurance Association of America
Retail Industry Leaders Association
TechNet
Twenty-First Century Privacy Coalition
USTelecom