New Senate bill tackles merchant data protections

May 1, 2015

WASHINGTON (5/1/15)--A coalition of six Democratic senators introduced a data protection bill Thursday that would, in part, require companies that store sensitive personal or financial information on 10,000 customers or more to meet specified consumer privacy and data security standards to keep this information safe, and notify the customer within 30 days of a breach.

CUNA strongly advocates for improved merchant data protection standards--ones that mirror credit unions' own Gramm-Leach-Bliley Act standards--that will ensure consumers' sensitive data will be protected.

Sens. Patrick Leahy (Vt.), Al Franken (Minn.), Elizabeth Warren (Mass.), Richard Blumenthal (Conn.), Ron Wyden (Ore.) and Ed Markey (Mass.) introduced the Consumer Privacy Protection Act of 2015.

Other key provisions of the bill include:

  • Establishing a broad definition of the types of information that must be protected, including Social Security numbers; financial account information; online usernames and passwords; unique biometric data, including fingerprints; information about a person's physical and mental health; information about a person's geolocation; and access to private digital photographs and videos;
  • Requiring companies to inform federal law enforcement of all large breaches, as well as breaches that involved federal government databases or law enforcement or national security personnel; and
  • Guaranteeing a federal baseline of strong consumer privacy protections by preempting weaker state laws, while leaving stronger state laws in place.

On the House side of the Capitol, earlier this month the House Energy and Commerce Committee passed the Data Security and Breach Notification Act of 2015 (H.R. 1770) by a 29-20 vote. 

The bill would require certain entities that collect and maintain personal information to secure such information and provide notice to individuals if the information is breached or exposed. CUNA opposes the data breach bill saying it falls far short in protecting consumers.

According to CUNA, strong data breach legislation should entail:

  • Strong national data protection and consumer notification standards, coupled with effective enforcement provisions. CUNA believes the standard in H.R. 1770, which calls for "reasonable security measures" should be strengthened;
  • Recognition of the data protection standard financial institutions face under the Gramm-Leach-Bliley Act. CUNA urges the committee to ensure that entities already covered by these standards are not subject to dual and perhaps inconsistent regulations;
  • Ensure the party responsible for the breach bears the costs associated with the breach. CUNA would like to see a section of H.R. 1770 modified with language stating this; and
  • A strong federal standard that preempts inconsistent state laws and regulations that deal with data protection and consumer notification. H.R. 1770 does not accomplish this.

 CUNA currently supports S. 961, data security legislation introduced by Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.). The Carper-Blunt bill is representative of the financial industry's core data security principles, and CUNA will be working with the financial services industry to advocate for its passage.