States' Role Key Issue in Clash over Data Bills: House Version Would Give Attorneys General Enforcement Power
Kaper, Stacy, American Banker
For the financial services industry, the data security debate is moving in opposite directions in the Senate and the House.
The Senate Banking Committee is expected to finally unveil its bill this week, and at least one industry lobbyist considers it a "dream bill." But the outlook is nowhere near as sunny on the House side, where leaders -- determined to mark progress on this sensitive issue -- are widely thought to be weighing a deal that would hand state attorneys general the power to enforce protections.
Since personal information identifying 26 million veterans and military personnel was stolen last month, lawmakers have been under pressure to move data security legislation quickly. Sources said Monday that if the House cannot pass a compromise bill by the Fourth of July recess, leaders may push through a narrower bill covering only government agencies.
Generally, financial institutions support a national data security law, which they say would be simpler to follow than multiple state ones. A national law also would require other types of companies to implement the same sorts of safeguards and follow the same breach notification requirements that depository institutions must follow under the Gramm-Leach-Bliley Act.
The House had been expected to vote last week on the Financial Services Committee's bill, one of three versions in the House and the one the industry favors.
But Energy and Commerce Committee Chairman Joe Barton, R-Tex., delayed the vote by pushing to include some of his committee's provisions, including the one empowering state attorneys general. Industry representatives and banking, thrift, and credit union regulators oppose this provision, arguing that it would undermine a uniform standard and regulators' oversight.
The Financial Services Committee's version would preempt state laws, retain Gramm-Leach-Bliley requirements for financial institutions, limit enforcement to financial institutions' regulators, and allow only victims of identity theft to freeze credit files.
(The third bill, written by the Judiciary Committee, is narrower, establishing penalties for companies that do not notify authorities of a data breach.)
"There's still an attempt on the part of leadership to work on a compromise between the Financial Services, Energy and Commerce, and Judiciary committees and get a bill to the floor," said Floyd Stoner, the lead lobbyist for the American Bankers Association. …