This week, Senators Tom Carper (D-Delaware) and Roy Blunt (R-Missouri) introduced the Data Security Act of 2015, which is similar to the Data Security Acts the two senators proposed in 2012 and 2014.
If passed into law, the bill would require that companies who lost customer data to hackers let customers know within 30 days that their credit or debit cards have been compromised, and establish other rules as well.
For the most part, card-issuing institutions such as banks and credit unions support Carper and Blunt's bill, yet privacy and consumer-rights advocates worry that the proposal as currently written would actually weaken the amount of protection consumers currently have, by overriding stronger state-level consumer-protection laws and by eliminating certain national-level protections currently in place.
Weaker in some ways
Card-issuing institution incur massive costs anytime a major hacking compromises their cards en masse. The Credit Union National Association (CUNA) called the Data Security Act “much-needed legislation” that would “protect the sensitive financial information of American people by establishing a national standard for data security, protection and consumer notification.”
Yet that national standard, at least in some respects, would arguably be weaker than some standards which currently exist. For example: the language of the bill, as written, says that companies do not have to disclose security breaches to their customers if the companies discover that “there is no reasonable risk of identity theft, economic loss, economic harm, or financial fraud.” Currently, companies must notify consumers of data breaches, whether they cause financial harm or not.
Representative Jan Schakowsky (D-Illinois), speaking against the bill, told theWashington Post. “Fifty-one states or territories have some sort of data protection legislation on the books -- 38 would see the data protection breach notification diminished in some way because this is a preemption law.”
Yet that patchwork of varying state- or territorial-level laws is exactly why the bill's supporters want a single unifying national standard. Rep. Peter Welch (D-Vermont), one of the bill's co-sponsors, said that right now, if a customer in one state is affected when hackers breach security at a company based in another state, it's not certain which state actually has jurisdiction. “I am usually, almost uniformly opposed to preemption — but this is an instance where unless you have a national standard you won't have protection,” he said.
On the other hand, under the current standard, companies in such situations generally adhere to the stronger of the two states' laws, which again hearkens back to the argument that this proposed bill would actually weaken consumer protections.