Committee Passes Data Security and Breach Notification Legislation

min read

Federal data security and breach notification legislation recently advanced out of the House Committee on Financial Services.

On September 13, 2018, the Consumer Information Notification Requirement Act (CINRA), H.R. 6743, was passed out of the House Committee on Financial Services. The bill was introduced by Representative Blaine Luetkemeyer (R-MO) on September 7, the one-year anniversary of the Equifax data breach affecting nearly 150 million people. It is unclear whether the bill will be passed by the full House of Representatives, but it is very unlikely the bill will move before the midterm elections.

If passed, CINRA would amend the Gramm-Leach-Bliley Act (GLBA) to require that federal agencies develop for financial institutions both a federal data security standard and a notification system for any breach or unauthorized access of customer information. Most agencies with jurisdiction over the financial sector already have data security and notification requirements in place, but some do not. A source within the Luetkemeyer staff explained to Inside Cybersecurity that the bill "would codify existing guidance that most financial institutions adhere to today. We're enhancing the Gramm-Leach-Bliley Act by adding a notification requirement. The goal is to require everyone under GLBA to have a notification standard in place."

This bill is the most recent in a long line of legislative efforts to establish federal data security requirements to protect consumer information. While this bill 's scope focuses solely on the financial sector, many individuals and entities across the political spectrum have called for a federal breach notification standard and related requirements across the nation 's entire economy in order to simplify the complicated patchwork of state laws with which companies must currently comply. Such broad efforts have failed largely due to concerns that a federal standard would be less stringent than certain state laws, lessening protections for consumers in those states.

Opponents of CINRA have raised concerns that the bill 's limited scope undermines efforts to implement a more comprehensive approach to breach notification and data security. The source from the Luetkemeyer staff responded, "[The office will] continue to work on the broader package," but CINRA "fixes part of the problem" and "raises the bar" across sectors.

Jennifer Ortega is a Senior Associate with Ulman Public Policy.

© 2018 Jennifer Ortega. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.