WASHINGTON—Bipartisan legislation was introduced in the House today that would protect consumers from identity theft and fraud by establishing a national data security and breach notification standard for financial institutions and retailers.
Introduced by Reps. Randy Neugebauer (R-TX) and John Carney (D-DE), the Data Security Act of 2015 (H.R. 2205) would bring retailers under a national standard similar to the Gramm-Leach-Bliley Act (GLBA) requirements for financial institutions
Both NAFCU and CUNA strongly support the bill.
“NAFCU appreciates the bipartisan leadership shown by Representatives Neugebauer and Carney in proposing a national standard of data protection for all industries that handle sensitive information based on the strong federal safekeeping standards in the GLBA — that financial institutions, including credit unions, must adhere to,” said Vice President of Legislative Affairs Brad Thaler. “We are also pleased that this legislation would recognize that it is not productive to duplicate data protection and consumer notice requirements that are already in place for credit unions under the GLBA. We urge the House to support this reform effort to make consumers safer and provide regulatory relief to financial institutions.”
“I thank Representatives Neugebauer and Clay for their leadership on data breaches and their commitment to protect the financial data of all Americans,” said Jim Nussle, president and CEO of CUNA. “Those who accept cards as payment must be held to the same standard as those who issue cards for payment.”
Under the bill, each covered entity must:
- Develop and maintain an effective information security program tailored to the complexity and scope of its operations, and the sensitivity of its data.
- Oversee service providers with access to customer information, including requiring service providers by contract to take appropriate steps to protect the security and confidentiality of this information.
- Train staff to prepare and implement its information security program.
- Test key controls, systems and procedures of its information security program.
- Adjust its information security program to reflect the results of its ongoing risk assessment.