HANG ON TO YOUR LAPTOP—PLEASE
From Washington
Kathleen W. Collins

Kathleen W. Collins is a partner in Morgan, Lewis & Bockius, and Washington Counsel of the Bank Insurance & Securities Association. She and Richard Starr write the "From Washington" column in alternate issues.

WITH the onset of summer and the fall elections just on the horizon, it increasingly feels as if the financial securities industry is one ugly data breach away from regulatory disaster.

As Congress sizes up the several bills it has at its disposal—amid constant complaints about its overall lackluster performance—a data security law appears to be just what an incumbent Congressman needs for a quick pick-me-up. Constituents are weary of the stolen-laptop stories and are greatly concerned over the possibility of identity theft. State after state is filling the legislative void by adopting legislation in this area (see "From the States"), so financial institutions have been forced to try to develop a worthwhile federal effort that would preempt the myriad of standards they will otherwise encounter.

House bill approved in May

The House Judiciary Committee’s version (H.R. 5318) of a data security bill was approved by the committee on May 25, 2006. This bill, which may end up not being a ‘standalone’ bill, but rather the law-enforcement portion of a larger bill, makes it a crime to knowingly fail to report a data breach that ultimately results in economic harm to a consumer. It directs the attorney general and Secretary of Homeland Security (doesn’t he already have enough to do?) jointly to promulgate rules describing the form, content, and timing of the notices to be sent that describe a data breach.

The bill also involves the U.S. Secret Service and the Federal Bureau of Investigation, requiring companies to notify either of these agencies when they have knowledge of a major security breach that causes a "significant risk of identity theft." Failure to provide this notice, with intent to prevent, obstruct, or impede an investigation could result in fines up to $1 million or imprisonment for up to five years.

A data security law appears to be just what an incumbent Congressman needs for a quick pick-me-up these days.

But all is not lost for the notice-deficient perpetrator. A ‘safe harbor’ is created for companies that have encrypted, redacted, or otherwise rendered data unusable. However, the safe harbor disappears if the government can demonstrate that the safeguards have been compromised, or that the data was actually accessed and used to commit identity theft. So much for that safe harbor. And if only the bill’s drafters could have found a role for the National Park Service, we could all sleep better at night.

The House Energy and Commerce Committee couldn’t resist the urge to chime in with its own version, called the "Data Accountability and Trust Act" (DATA, get it?). DATA was reported out of committee on May 26, 2006. This version appears on its face to apply only to a limited universe of "information brokers," but its broad definition of such brokers would ensnare many commercial entities that "collect, assemble or maintain personal information." Enforcement in DATA is delegated in part to state attorneys general, and does not attempt to preempt state causes of action in trespass, contract, fraud, and tort. Class-action suit, anyone?

The Financial Data Protection Act of 2006

The best of the bunch is the House’s "Financial Data Protection Act of 2006"—aside from the bill’s one obvious failing: It makes a lousy acronym (FDPA will never fly, trust me). But otherwise, the bill’s not bad. It creates a safeguard and notice regime for any entity that comes to possess sensitive financial personal information. It sets a national standard, which should be a critical facet of any federal effort, and requires that breached entities provide free credit-monitoring services in the event information is lost or stolen. Victims of identity theft are permitted to freeze their credit reports, and state laws on the topic would be preempted.

Customer notification under this Financial Services Committee effort is required when a company becomes aware that a breach of data security is "reasonably likely" to have occurred or is unavoidable, and if the company becomes aware of information "reasonably" identifying the nature and scope of the breach, and becomes aware that such information is "reasonably likely" to have been or to be misused in a manner causing harm or inconvenience to consumers. Banking regulators, not Homeland Security or the Federal Trade Commission, would enforce the law as it regards banks.

As the reader may have guessed, consumer groups are not wild about FDPA, and even the lead minority member of the House Financial Services Committee, Rep. Barney Frank, prefers aspects of the DATA version. Meanwhile, Republican house leaders are trying to broker a compromise, raising the specter of a Frankenstein data-security bill. And don’t forget that the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act are still the laws of the land. While FDPA builds on the Fair Credit Reporting Act, the others don’t address the fact that a financial data regulatory regime of sorts already exists.

While a companion bill to FDPA exists in the Senate (S. 2169), others are planning new Senate efforts as this article goes to press, with the Senate Banking Committee reportedly set to clock in with a FDPA-type bill.

With only a short time left for Congress to cook up a data security law before departing for final electioneering efforts, here’s hoping the financial services industry can avoid more data-breach headlines, and that Congress can avoid trying to legislate a fix for the latest example of data breach, rather than lifting up its collective head and developing a rational, national standard that will not need to be amended next year.

If Congress does nothing on the topic this year, the next session could see efforts to re-vamp the overall national approach to privacy and data security. So pick your poison.