Reps. Blaine Luetkemeyer (R-Mo.) and Carolyn Maloney (D-N.Y.) released draft text of a bipartisan data security bill today. The bill would provide broad standards for data protection across industries and create new federal post-breach notification requirements.
The draft legislation would set consistent, scalable standards for what businesses that handle sensitive personal data must do to protect that data. It also establishes steps that covered entities must take to notify regulators, law enforcement and victims after a breach exposing records of 5,000 or more consumers.
The bill designates the Federal Trade Commission as the regulatory and enforcement agency for non-depository institutions; the prudential regulators would continue to oversee how banks and their affiliates protect data under the Gramm-Leach-Bliley Act, and compliance with those agencies’ regulations would constitute compliance with the Luetkemeyer-Maloney bill. Under the current draft, FTC action in response to a breach would preempt state enforcement actions, and depository institutions would be exempt from actions brought by state attorneys general.
The American Bankers Association has long advocated for consistent data security standards, and association staff are reviewing the draft and working closely with members of Congress to ensure the bill aligns with ABA’s position on the issue. ABA Government Relations Council Vice Chairman Jim Reuter — president and CEO of FirstBank, Lakewood, Colo. — is scheduled to testify on this topic at a House Financial Services Committee hearing on March 1.
