Is There a Need For a National Standard to Report Breaches of Personal Information? (H.R. 2205)

What is H.R. 2205?

(Updated August 1, 2017)

This bill would require individuals, corporations, or other non-government entities that access or handle sensitive financial account information and nonpublic personal information to implement an information security program. Those people and organizations would also be required to notify consumers, federal law enforcement, relevant administrative agencies, payment card networks and consumer reporting agencies about data breaches that could lead to identity theft or fraud.

Covered entities would be directed to require their third-party service providers by contract to put in place appropriate safeguards for sensitive information. Entities would be allowed to delay sending out notifications about a data breach if one is requested by a law enforcement agency.

Financial institutions would be allowed to communicate with account holders regarding breaches at third-party entities that have clients account information. The bill would establish special notification procedures for breaches at third-party entities and electronic data carriers. Alternative compliance procedures would be put in place for financial institutions covered by the Gramm-Leach-Bliley Act and entities complying with health record privacy laws.

Among the entities tasked with enforcing this legislation would be the following:

• Federal Trade Commission (FTC);

• Comptroller of the Currency;

• Federal Reserve System;

• Federal Deposit Insurance Corporation (FDIC);

• National Credit Union Administration Board;

• Securities and Exchange Commission (SEC);

• Commodity Futures Trading Commission (CFTC);

• The Office of Federal Housing Enterprise Oversight;

• State insurance authorities in certain circumstances.

This legislation would also prohibit state laws from being imposed for information security and breach notification purposes.

Argument in favor

Account holders should be informed about potential breaches of their personal information as quickly as possible, and this bill would create a federal standard to ensure that happens.

Argument opposed

Businesses and government entities that have access to people’s sensitive personal information can be expected to notify those who may be affected by a data breach without a federal standard.

Impact

Any individual or entity that handles sensitive personal information — especially banks and health care providers; and federal and state agencies responsible for enforcing this legislation.

Cost of H.R. 2205

A CBO cost estimate is unavailable.

Additional Info

In-Depth: Sponsoring Rep. Randy Neugebauer (R-TX) introduced this bill to ensure that consumers are promptly alerted about data breaches at entities that store sensitive personal information:

“This legislation was crafted with three guiding principles. First, any national standard must be technology neutral and process specific. This helps ensure the private sector can continue to innovate. Second, we need everyone at the table — all participants in the payment system must equally share in the efforts to protect consumer financial data. As we have learned from too many previous breaches, the system is only as strong as the weakest link. Finally, the standards we establish are scalable and well-tailored to to avoid unnecessary burdens on small businesses. It is imperative that any standard take into consideration the size scope, and type of financial information businesses hold.”

This legislation was passed by the House Financial Services Committee on a vote of 46-9, and it enjoys the bipartisan support of 36 House cosponsors, including 21 Republicans and 15 Democrats.

Media:

• Sponsoring Rep. Randy Neugebauer (R-TX) Press Release
• House Financial Services Committee Press Release
• Absolute
• Homeland Security Today
• ABA Banking Journal (In Favor)