Newsroom

Three separate bills aimed at establishing nationwide standards for data security and breach notification were approved by the Senate Judiciary Committee Thursday.

S. 1151, introduced by Judiciary Chairman Patrick J. Leahy, D-Vt., would impose more rigorous penalties for hackers and require businesses to adopt data-security programs. S. 1408, offered by Sen. Dianne Feinstein, D-Calif., would subject companies to fines up to $1 million for not meeting certain notification standards when personal information has been compromised. The third bill, S. 1535, offered by Sen. Richard Blumenthal, D-Conn., is mostly an amalgam of the approaches under the other two bills. The Senate Judiciary Committee approved the bills along party lines in separate 10-8 votes.

Currently, credit unions and other financial institutions must follow data security and breach-response requirements under the Gramm-Leach-Bliley Act of 1999. That law, however, does not extend to retailers and other non-financial entities that collect sensitive information.

NAFCU Vice President of Legislative Affairs Brad Thaler said that the bills that passed the Committee were an improvement over earlier versions, as they now contain exemptions for institutions in compliance with Gramm-Leach-Bliley standards.

Thaler added it is unlikely any of the pieces of legislation will move forward in current form, since no committee Republicans voted for any of them. "With other data security and cybersecurity bills out there, it is more likely that what ultimately gets to the Senate floor will reflect aspects of all the various perspectives," he said.

NAFCU continues to believe that the best way to address the data security issue is to replace the current hodgepodge of state and federal regulations with a set of national requirements. NAFCU has long advocated that all entities – retailers as well as financial institutions – be required to bear responsibility for safekeeping consumers' financial information and taking the precautions necessary to prevent data breaches.

Under the current regulatory regime, credit unions have been forced to suffer steep losses in reestablishing member safety after a data breach, including in instances where the retailer's failure to protect sensitive financial information was explicitly identified.