ABA Outlines Principles for Federal Data Protection, Breach Notification Standards

In a statement for the record of a House Financial Services subcommittee hearing on data security today, ABA outlined several guiding principles for protecting consumer data from data breaches and online cyberattacks. The association emphasized the importance of having robust data protection and breach notification standards — similar to those already adhered to by regulated financial institutions — that would apply to businesses across all industries and ensure that the costs of breaches are borne by the entities that incur them.

Recognizing that banks are already leaders in protecting customer data, ABA called on lawmakers to ensure that any federal data breach bill does not duplicate or undermine banks’ current efforts. ABA noted that a recent bipartisan draft bill released by Reps. Blaine Luetkemeyer (R-Mo.) and Carolyn Maloney (D-N.Y.), would not create duplicative standards for banks, but rather would extend similar expectations to other sectors that handle consumer data.

While ABA agreed that customers should be notified quickly after a data breach is identified, it cautioned that “it would be a mistake to put in place a time-certain for notification such as a certain number of hours or days,” given that each breach is different and some may require more in-depth investigation to determine the size and scope. ABA also urged lawmakers not to mandate a technology solution or specific security requirement, but rather take a risk- and governance-based approach to data security.

In addition, any federal data breach law should have preemption over the patchwork of state laws, ABA said, noting that “although some of these laws are similar, many have inconsistent and conflicting standards.”