On the eve of a committee vote on the Data Security Act of 2015, U.S. PIRG reiterated its opposition, calling it a “Trojan Horse assault on state privacy laws.” On Dec. 9, 2016, the House Financial Services Committee approved the bill by a vote of 46 – 9.
The measure, H.R. 2205, would establish a national data security and breach notification standard for all businesses and would apply to any individual, partnership, corporation, trust, estate, cooperative, association, or entity that accesses, maintains, communicates, or handles sensitive account information or sensitive personal information. Ed Mierzwinski, U.S. PIRG’s Consumer Program Director, says the bill is a “massive attack on state privacy laws.
State law preemption. A letter signed by U.S. PIRG and 17 other consumer and privacy groups states that H.R. 2205 would supersede all state laws on data security and breach notification, including those protecting personal information not covered in the bill. According to the letter, the bill would “squelch” new and developing laws in states extending protections to online account information including email accounts and cloud photo storage.
Also the bill does not cover information about an individual’s geographic location or electronic communications. Moreover, it is unclear, the letter states, whether “medical information” would include the broad range of data that is collected about individuals’ physical or mental health through websites and wearable devices.
“Preempting state law would make consumers less protected than they are right now,” the letter says. The organizations believe that states should continue to adapt their laws to respond to changes in technology and data collection, as they are “better equipped to quickly adjust to the challenges presented by a data-driven economy.”
Serving banks. The letter states that H.R. 2205 is “designed to serve the banks.” The letter notes that over 100 merchant and retailer associations oppose the bill because it imposes two tiers of rules. Banks would continue to be subject to an “existing weak regime that does not even require breach notices, only modest plans,” while other firms would be subject to the bill's higher requirements.
For more information about data security for financial institutions, subscribe to the Banking and Finance Law Daily.