Banks are national leaders in preserving the security of customer data. Unfortunately, banks are also prime targets of would-be data thieves. Moreover, banks are often called upon to pick up the pieces from breaches caused in part by inadequate security measures of non-banks. Legislative and regulatory proposals to remedy data breach problems further threaten bank activities and may miss the real weaknesses in the information system while imposing new, unnecessary burdens.
Should federal legislation be adopted, ABA supports comprehensive, but focused, data security legislation and regulatory policy that:
1) Creates a uniform standard for data security across all types of businesses;
2) Exempts institutions subject to existing Gramm-Leach-Bliley Act (GLBA) data security requirements;
3) Maintains functional regulation;
4) Contains strong preemption of state law; and
5) Redresses weaknesses in financial incentives so that those responsible for a breach bear the costs, such as replacing affected debit and credit cards.
While banks have had the mandate to safeguard sensitive customer information for years, the growth of the Internet and electronic commerce has made compiling and selling sensitive personal information easier for a multitude of companies. In recent years a number of high profile breaches occurred, exposing millions of Americans' sensitive account and personal information to criminals. The TJX Companies breach provides one clear example of why card associations must be more active in enforcing their contracts and why federal data security legislation can be valuable. Since data breaches started becoming public, states have been acting to require data safeguards, customer notification in case of a breach, and in some instances the option for consumers to freeze their credit files.
Because of the risk to consumers posed by data breaches, and because of the growing patchwork of state laws, ABA believes that data security legislation should provide a uniform, nationwide mandate that unregulated entities, such as retailers and data brokers, be required to take steps to safeguard sensitive customer information that they hold. Banks have had such an obligation to protect their customer's sensitive financial information for years.
In the 111th Congress, many committees will consider legislative options for improving the security of sensitive consumer information and providing notices to consumers when there is a breach that places them at risk. Each committee has taken a significantly different approach to address the problem, according to its jurisdiction. However, not all of the legislation would recognize the unique needs of banks to serve our customers most effectively.
In looking at any legislative solution ABA believes that first and foremost having a national standard is critical for any legislation addressing data security and consumer notices. Adding another layer of regulation to a rapidly growing patchwork of state and local laws hurts consumers, hurts the economy, and will not provide effective customer protection.
Likewise, financial institutions have an incredibly robust regulatory framework under which they operate. This is particularly true for depository institutions. Because of this existing framework, ABA believes that any legislation considered in Congress should embrace functional regulation as the most efficient and appropriate way to enforce and administer new data security and notification requirements.
ABA supports the establishment of financial incentives so that those responsible for a breach bear the costs, such as replacing affected debit and credit cards. Some of the biggest costs associated with a breach are those from reissuing credit and debit cards, covering fraudulent charges from stolen card numbers, and closing accounts placed at risk. In instances where a bank issued cards affected by a breach, these costs can mount quickly, and the bank ends up bearing all of the costs itself. Banks are doing this now because they are dedicated to protecting their customers. However, those responsible for breaches should bear their costs and thereby acquire enhanced financial incentives to develop strong programs and practices to safeguard sensitive information.
Federal legislation could eliminate the growing patchwork of state laws and provide consumers across the nation with strong protections while not adding an extra and unnecessary layer of regulation on banks.
Contact for further information: Doug Johnson (202) 663-5059.