Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.) recently introduced H.R. 2205, the Data Security Act of 2015, which would create a national data breach and security standard applicable to all industries handling sensitive personal and financial information, including financial institutions, verified retailers, and data brokers. H.R. 2205 mirrors companion Senate Bill S. 961 introduced under the same name by Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) earlier this year.
Both bills would require data breaches to be reported “without unreasonable delay” and also harmonize the jumble of data security laws enacted in 47 states, the District of Columbia, and three U.S. territories. Currently, the inconsistent and conflicting standards pose difficulties to companies operating in multiple states. This lack of uniformity in data-security and breach notification-standards prompted lawmakers to draft this legislation creating a comprehensive data-security program applicable to all actors within the chain of commerce.
Both bills represent a bipartisan effort to strengthen consumer-privacy protections in response to an increasing number of data breaches. More than 100 million records were reported to have been compromised between January and May 2015. The healthcare industry accounts for nearly 98 percent of records compromised this year, while retail vendors account for the majority of total breaches, at nearly 40 percent.
Financial institutions have voiced support for both bills. On May 14, 2015, the American Bar Association, in conjunction with several other trade groups, submitted a statement for the record to the House Financial Service Committee hearing on data security that expressed support for H.R. 2205. Under the Gramm-Leach-Bliley Act, every bank and credit union is required to have information-security programs to protect consumer account information. Retail merchants and healthcare organizations are not similarly regulated by such stringent federal requirements. In 2013, 61 percent of fraud losses were borne by issuers, but only 36 percent were borne by merchants. Financial institutions anticipate that the legislation would create an equal burden to protect sensitive consumer information across all industries.
—Sherry Ly, Snell & Wilmer L.L.P., Las Vegas, NV