Washington’s most ferocious fights usually happen between Republicans and Democrats. But in the area of consumer protection and high finance, a more common divide occurs between Sacramento, Albany and Tallahassee, and the federal government. On Wednesday, Washington picked a fight with the states.
The House Financial Services Committee overwhelmingly approved legislation Wednesday that would force companies that lose control of customers’ sensitive personal data — whether to hackers or rogue employees — to notify those customers, and federal law enforcement, as promptly as possible. The irritant for the states: The bill would override laws in states including California, Illinois and Massachusetts that set their own rules for data breaches over a decade ago after the federal government refused to act.
Forty-seven state attorneys general, led by South Dakota’s Marty Jackley, a Republican, pleaded with congressional leaders to abandon any legislation, such as the Data Security Act approved Wednesday, that hem in the authority that they have enjoyed for years.
“The states have been able to respond more quickly to concerns about privacy and identity theft involving personal information, and have enacted laws in these areas years before the federal government,” the attorneys general wrote before the committee acted. “Indeed, Congress would not be considering the issues of security breach notification and security freeze if it were not for earlier enactment of laws in these areas by innovative states.”
With the bill, Rep. Jeb Hensarling, the Texas Republican who chairs the Financial Services Committee, has waded into an area fraught with conflicts — and not just between Washington and the states. Bank lobbyists pushed for the measure over the objections of retailers, who would suddenly face new federal rules that used to apply only to banks. And the measure could shift costs from banks to stores.
With hackers and other ill-doers roaming cyberspace, the security of personal data has become a top issue for banks, retailers and the authorities responsible for policing them. The Privacy Clearinghouse has estimated that, since 2005, nearly 5,000 company data breaches have compromised over 815 million records containing information about medical histories, Social Security numbers or bank data.
Moreover, data breaches have hit household names such as Target and JPMorgan Chase, elevating the subject politically during the last few years in a way that previous hackings did not.
Consumer issues have long been an area of state concern, with attorneys general — who frequently then move into the governor’s mansion — leading the way. But when Congress passed a massive overhaul of financial regulation in 2010 with very little Republican support, the issue turned more partisan than it had been.
Republican attorneys general mostly refused to sign cooperation agreements with the new federal regulator, the Consumer Financial Protection Bureau. A few even sued in federal court to overturn parts of the law, known as the Dodd-Frank Act.
But if some states are skeptical of a new federal agency, they all agree that Congress has no business writing state laws into irrelevance. This type of legislation, which “pre-empts” state laws that conflict with new federal rules, has always drawn scorn from states that see themselves, in the famous words of Justice Louis Brandeis, as “laboratories of democracy.”
“States generally oppose preemption, period,” said James Tierney, director of the National State Attorneys General program at Columbia University law school.
The legislation also puts consumer advocates in the same camp as attorneys general of both parties. They originally sought data-breach rules in the states after the federal government failed to act in the early 2000s, when hacking emerged as a signature problem of the Internet age.
Ed Mierzwinski, director of the consumer program at US-PIRG, a watchdog group, said banks have persuaded Congress to kneecap state authorities with a bill that sounds like a federal consumer protection measure.
“Hidden inside a seemingly modest proposal to establish federal data breach notice and data security requirements is a Trojan Horse provision designed to to take state consumer cops off the privacy beat, completely and forever,” Mierzwinski said. “That’s wrong, because the states have always been key first-responders and leaders on privacy threats that Congress has ignored.”
Mierzwinski said the federal legislation has “narrow obligations” that simply require companies to report data breaches, without tough rules on how consumers can obtain redress. Some states, for example, authorize affected customers to sue for damages, a right they’d lose if a federal law trumps state rules.
The bank lobby virtually rubbed its hands with glee at the legislation, which it sees as a long-overdue measure that retailers deserve after years of data breaches that incur costs for financial services companies.
If a customer’s debit-card data gets hacked at a retailer — as was the case with Target and others — their banks, not the retailers are on the hook for the costs. Banks and payment systems assume this legal liability to ensure that retailers use their systems, knowing they will get paid no matter what.
The flip side is that they have to pony up for the cost of hacking — by replacing debit cards, for example — even though they aren’t negligent.
“Following the recent deluge of high-profile data breaches at major retailers, the Data Security Act will hold these companies to common-sense data-security standards like those already required of banks,” said Camden Fine, president of the Independent Community Bankers of America, which represents small banks.
The American Bankers Association, which includes large banks, and the National Association of Federal Credit Unions, also back the bill.
Retailers like Wal-Mart, Home Depot, Apple and REI have backed the consumer groups, and the attorneys general, blasting the legislation as a bureaucratic nightmare that mimics a 1999 law aimed at banks.
For example, it would require anyone who deals with sensitive consumer information, such as a credit or debit card, to first pass a criminal background check. The Retail Industry Leaders Association, which represents large companies, argues this would hit cashiers, waiters and waitresses and even cab drivers.
“Haphazardly slapping rules that were written 15 years ago for the financial industry on retailers, restaurants and thousands of small businesses is not the kind of data security legislation that will safeguard our economy,” Executive Vice President for Government Affairs Jennifer Safavian. “This is red tape masquerading as security.”
The bill has a decent head of steam thanks to companion legislation introduced by Sens. Tom Carper, Delaware Democrat, and Roy Blunt, Missouri Republican. Brad Thaler, vice president of legislative affairs for the credit union association, said the industry sought a strong bill in the financial services committee since it could be weakened later.
“We recognize that what happens here is not the end of the line,” Thaler said. “This is one step in the process.”