Congress Begins Struggle to Address Data Security Issues

With Congress having stalled in the past on data security legislation, the leaders of the Senate Banking Committee are attempting a new approach—bipartisanship.

Committee Chairman Mike Crapo (R-Id.) and the panel’s ranking Democrat, Sherrod Brown of Ohio are circulating a list of questions they would like stakeholders to address.

On the other side of the Capitol, two House committees that often have clashed on data legislation will hold hearings on the issue next week. At a Feb. 26 House Financial Services Committee hearing, the CEOs of the three major credit reporting bureaus will testify.

On the Senate side, Crapo and Brown are attempting to find common ground.

“Given the exponential growth and use of data, and corresponding data breaches, it is worth examining how the Fair Credit Reporting Act should work in a digital economy, and whether certain data brokers and other firms serve a function similar to the original consumer reporting agencies,” Crapo said, in releasing the questions.

“In the year and a half since the Equifax breach, the country has learned that financial and technology companies are collecting huge stockpiles of sensitive personal data, but fail over and over to protect Americans’ privacy,” Brown said. “Outdated privacy laws don’t address the complex surveillance schemes these businesses profit from today.”

“The collection and use of personally identifiable information will be a major focus of the Banking Committee moving forward,” the two senators said, adding that they would like responses to the questions by March 15; they may be submitted through the panel’s website and the responses will be made public.

The issues the senators would like addressed include:

• Whether legislation can give consumers more control over their data and guarantee notification when a breach occurs.
• What can be done through legislation or regulation to give consumers more information about how their personal data is used.
• Whether legislation or regulation can ensure that credit bureaus protect consumer data and have accurate credit files.
• What can be done to ensure that consumers can exercise control over information collected by data brokers and is used to determine eligibility for credit, insurance, employment and other purposes.

Crapo and Brown have used this method in the past to try to reach consensus on controversial issues.

During the last Congress, they attempted to work together on legislation to overhaul Dodd-Frank. Those negotiations broke down, when Brown said he could not support legislation that Crapo wanted to push.

Instead, Crapo worked with a group of moderate Democrats on an overhaul bill that eventually became law.

In the House, the Financial Services Committee will hear from the CEOs of Equifax, TransUnion and Experian, as well as consumer advocates at its hearing on Feb. 26.

In conjunction with that hearing, Committee Chairwoman Maxine Waters (D-Calif.) has begun circulating drafts of two bills dealing with credit reporting.

One bill would expand consumer access to free credit reports, shift the burden in the dispute process from consumers to the credit bureaus, shorten the time period that adverse credit information stays on reports, restrict the use of credit checks for employment purposes and give the CFPB increased power to monitor credit reporting models.

A second bill would protect the credit histories of people affected by a government shutdown.

On the same day and time, the House Energy and Commerce’s Consumer Protection on Commerce will hold a hearing on protecting consumer data. A witness list for that hearing has not yet been released.

In the past, the Financial Services and Energy and Commerce committees have clashed over data security issues. The Financial Services panel has pushed for legislation that would impose the same consumer notification standards on merchants as financial institutions must follow when a data breach occurs. The Energy and Commerce panel has taken the side of merchants in opposing that legislation.

The clash has been cited as one reason why Congress has not been able to tackle the data security issue.