On September 13, the House Financial Services Committee passed H.R. 6743, the Consumer Information Notification Requirement Act. The legislation, sponsored by Subcommittee on Financial Institutions and Consumer Credit Chairman Blaine Luetkemeyer, is an attempt to institute a new statutory requirement that all financial institutions notify consumers in the event of a breach involving their personal information.
This Act will preempt any State law with respect to securing personal information from unauthorized access or acquisition, including notification of unauthorized access or acquisition of data.
The Act provides that the insurance authority of the State in which an entity is domiciled shall enforce the provisions for an entity engaged in providing insurance. The Act also applies to insurance agents and brokers.
Insurance Commissioners Have Something to Say About the Act
In a letter to the Committee on Financial Services, the National Association of Insurance Commissioners opposed the Act. The Commissioners stated that they "have serious concerns that the bill’s language would significantly limit state insurance regulators from protecting consumers in their state."
The letter goes on by stating that the Act would broadly preempt all state laws and regulations and prohibit states from imposing any stronger requirements for insurance consumer protection. According to the Commissioners, the Act disregards the existing state insurance regulatory framework and would inhibit ongoing efforts in the states to adopt data security laws and regulations in the best interest of insurance consumers. The Commissioners recognize that "consistent standards around the country are important, but because further cyber attacks and data breaches are inevitable, it is even more important for regulators to have the power to act and help remedy the situation on behalf [of their constituents]."
Left Scratching our Heads
There is little doubt that cyber attacks and data breaches are a major concern for the financial, healthcare, and insurance industry. Every company and consumer is at risk of a detrimental cyber related event. Most people agree that we need laws to impose cybersecurity requirements and notify the public of a data breach. The disagreement is how to approach these issues.
Europe has implemented one sweeping law in the General Data Protection Regulation (GDPR) in an effort to protect EU residents. The U.S does not have a similar law. Instead, each state has implemented its own breach notification or data security laws. Different governmental sectors have also implemented privacy and data security rules and regulations (e.g. HIPAA governs medical and health information, FERPA applies to educational institutions, etc.).
This patchwork of laws, rules and regulations is an administrative nightmare for multi-state companies because they have to ensure compliance with every state and federal law. It would be easier to have something similar to GDPR. However, as the Commissioners noted, each state should be allowed to govern its territory as it sees fit for its constituents.
There is also another debate: should a sweeping federal law adopt the stricter approach to cybersecurity and data protection, or should we have a "light touch" approach.
I don't think there is a "correct" approach. One major law, a patch work of laws, stricter or lenient - each approach has pros and cons. My only comment is that we all agree that the problem of cybersecurity and cyber-privacy is here to stay. Leaders at the Federal and State level need to make a decision soon and act on it.
As for the Consumer Information Notification Requirement Act, I applaud Chairman Luetkemeyer's effort. Will the Act become the law of the land? I have my doubts, but we shall see . . .