Newsroom

A draft data security bill was amended in a House subcommittee mark-up Wednesday to provide an exemption for financial institutions subject to the Gramm-Leach-Bliley Act, as urged by NAFCU.

The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade also adopted three other amendments clarifying third-party notification issues, mandating that the Federal Trade Commission conduct education and outreach for small businesses on data security practices and calling for the FTC to establish and maintain a website featuring nonbinding best practices for businesses regarding data security.

On Monday, NAFCU Vice President of Legislative Affairs Brad Thaler wrote full committee and subcommittee leaders to recommend ways to strengthen the bill. He suggested, for example, requiring FTC rulemaking authority for data security standards and including language to make entities that fail to meet a basic data protection standard liable for any costs incurred from a breach in their systems. The subcommittee took no action in these areas.

He also encouraged the panel to strengthen the exemption for Gramm-Leach-Bliley-Act-covered entities, which was adopted in a manager's amendment to the bill.

NAFCU is requesting that any data security legislation ensure that:

• breached entities be held accountable for costs resulting from their negligence;
• consumers be notified of breaches and made aware of retailers' data security policies;
• account servicers be notified; and
• retailers be held to a strong national standard on data security.