Data breach bill would create federal notification standard

The Consumer Information Notification Requirement Act (H.R. 6743), recently introduced to the House of Representatives, would drastically change how consumers are notified of data breaches. Championed as a critical amendment to the Financial Modernization Act of 1999, the bill most significantly would preempt state data breach notification requirements and create a national data breach notification standard, at least for financial institutions. Doing so will have the benefit of making notification a uniform process across the board for financial institutions, which may struggle with providing proper notice for data breaches that do not conform to state guidelines, especially for many companies that have a substantial presence in many geographic areas.

The bill is part of a flurry of new cybersecurity bills in 2018, including others that call for automatic sanctions on foreign cyber-attackers, creating a new chief data officer position at the Department of Homeland Security, and providing greater authority to the DHS to block contactors and subcontractors that officials believe pose cybersecurity risks. The passage into law of any of these bills will be another tick towards updating regulations to protect consumers and businesses from cybercrimes that have evolved quite a bit in the twenty-first century.

But H.R. 6743 could be a game changer. It was only 19 years ago, with the Modernization Act, that Congress set contemporary regulations for how financial institutions shall handle customers' personal information. The act allowed for the consolidation of major banks, insurance carriers, and investment groups, while simultaneously boxing out the Security Exchange Commission and other traditional financial oversight agencies from regulating the now-larger investment bank holding companies. In the process, the legislation left corporate America to its own devices with respect to notifying consumers of data breaches and the ensuing effects on their personal information. In a sense, perhaps Congress could not have known what lay on the horizon with data technology at the time.

Yet now, with the cascade of data breaches that have plagued American business and financial infrastructure in the last two decades, federal legislative change is probably necessary to right the ship. H.R. 6743 may be just what the doctor ordered. Notably, the bill aims to amend the breach notification standards by adding language that financial institutions must establish procedures to protect consumer information, "including through the provision of a breach notice in the event of unauthorized access that is reasonably likely to result in identity theft, fraud, or economic loss." And that such institutions "shall establish the standards with respect to such notice that are contained in the interpretive guidance issued by the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision titled 'Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice', published March 29, 2005 (70 Fed. Reg. 15736), and for a financial institution that is not a bank, such standards shall be applied to the institution as if the institution was a bank to the extent appropriate and practicable."

The new language thus establishes the framework for a federal notification standard. Doing so obviously provides the consumer with the necessary information on the proper threshold protocols financial institutions must meet in disclosing breach notifications. While the fight over the compromised data may war on, consumers will at least feel comfortable knowing they will receive all the substantive details they need to make informed decisions concerning their data. A good night's sleep subsequent to a major data breach never hurt anybody.

Arguably, the bill also helps businesses by guiding them on the minimal notification thresholds they must meet, which may better facilitate company efforts to avoid liability while employing the most cost-effective means legally possible to do so. Theoretically, companies will not have to fret as much about setting a list of notification guidelines and merely hoping they are sufficient.

H.R. 6743 also makes clear that prior state data notification standards will be preempted, stating in pertinent part: "This subtitle preempts any law, rule, regulation, requirement, standard, or other provision having the force and effect of law of any State, or political subdivision of a State, with respect to securing personal information from unauthorized access or acquisition, including notification of unauthorized access or acquisition of data."

Accordingly, upon passage, the federal government will assume its rightful and updated place in the fight against data breaches. States of course are not forgotten under this bill; they must merely adhere to it in their own efforts to curtail data breach notification turmoil. Nevertheless, the federal imprint the legislation places on data breach efforts cannot be underestimated. Given that breaches largely occur across the internet and across state lines, the federal government's role in legislating America back to technological sanity, at least in this instance, may make a lot of sense.