Donovan: Data bill 'interesting,' but more is needed

March 24, 2015

WASHINGTON (3/25/15)--CUNA Chief Advocacy Officer Ryan Donovan says the draft data breach bill under consideration by a House Energy and Commerce subcommittee yesterday and today is "pretty interesting." 

It's the first bill CUNA has seen in a while, Donovan says, that not only would address a national data breach standard, but would also impose data security standards on those entities not subject to the standards in the Gramm-Leach-Bliley Act (GLBA) that cover credit unions and other financial institutions.

"The current weak link in keeping consumers' personal financial data safe clearly is the lack of merchant security requirements," Donovan says, "so this draft bill clearly kicks off an important legislative discussion."

However, the head of CUNA's advocacy says the bill as drafted only begins to address actions needed to shore up policy.

For instance, a final bill would need to tackle these issues where the draft does not, according to Donovan and CUNA:

  • pecific security requirements are not clearly defined;
  • There are not clear instructions to the Federal Trade Commission regarding rulemaking to implement the law, if enacted; and,
  • The scope of exemptions from GLBA-covered institutions is not broad enough.

On that last point, Donovan notes, federally chartered credit unions would be exempt from new standards, while state-chartered are not.

"We are working with subcommittee staff on that and other issues and will continue to do so," Donovan said.

The subcommittee on commerce, manufacturing and trade launched its markup of The Data Security and Breach Notification Act of 2015 Tuesday with panel members' opening statements and continues today with votes on the draft bill.