The proposals include a standard for data protection, a notification regime, and enforcement by the Federal Trade Commission (FTC) and state attorneys general.
The letter was addressed to Rep. Greg Walden (R-Ore.), chairman of House Energy & Commerce Committee, and Rep. Bob Latta (R-Ohio), chairman of the subcommittee on Digital Commerce and Consumer Protection. The American Bankers Association, the Consumer Bankers Association, the Credit Union National Association, the Independent Community Bankers of America, and the National Association of Federally-Insured Credit Unions were among the signatories to the letter.
The group said the data protection standard should take into account the size and complexity of an organization, the cost of available tools to secure data, and the sensitivity of the personal information held. The group also proposed the legislation should guarantee against excessive requirements for small organizations.
The group also proposed a requirement of timely notice to customers, law enforcement, and regulators whenever the possibility of identity theft or other financial harm arises from a breach. Additionally, the group called for enforcement that is exclusive to the FTC and the state attorneys general, with exceptions for certain entities under state insurance regulation or other special legislation. The FTC should be authorized to impose sanctions under the new law, according to the group.
Finally, the group called for a clear preemption of the existing patchwork of state laws, which they described as “often conflicting and contradictory.”
“Data security impacts every sector of the economy,” the group wrote in the letter. “We therefore look forward to working with you and your colleagues to ensure that all sectors employ sound data security and alert consumers when a breach may result in identity theft or other financial harm.”
Bill penalizing consumer data breaches introduced in Senate
New York launches tough new regs in wake of Equifax breach
A group of organizations representing various industries has sent a letter to Congress outlining a set of proposed elements for customer data security legislation in case such legislation should be enacted.